OCC Deputy Comptroller Discusses Operational Risk and Cyber Threats

Office of the Comptroller of the Currency Deputy Comptroller for Operational Risk Beth Dugan discussed cyber threats, operational risks and the importance of effective risk management in a speech at The Clearing House's Operational Risk Colloquium.

According to Ms. Dugan, while the impact of cyber threats on financial services firms has been relatively limited to date, the severity of such threats is escalating rapidly as cyber attackers become increasingly sophisticated in exploiting the vulnerabilities of commonly used infrastructures. In particular, Ms. Dugan noted that cyber attackers are increasingly:

• using targeted emails and other forms of social engineering to compromise systems and credentials;
• using malware to corrupt legitimate Web sites;
• encrypting data and mobile devices in order to extort users or organizations to pay ransoms to retrieve such data or to regain access to such devices; and
• exploiting gaps in operating systems at foreign financial firms to install malware that destroys the operating systems; and
• broadly sharing tools to identify and exploit infrastructure vulnerabilities.

Ms. Dugan recommended that, to address the growing risk of cyber threats, every financial institution should become a member of the Financial Services Information Sharing and Analysis Center ("FS-ISAC"). Additionally, Ms. Dugan recommended that financial institutions expand hypothetical disruption scenarios to include the impact of cyber threats on third-party service providers, customers and other critical infrastructure components. Finally, Ms. Dugan stressed the importance of (i) cultivating a "strong risk culture," which would include routine discussions of cyber threats, as well as (ii) training and awareness programs for employees.

See: Ms. Dugan's Speech.