FRB Governor Warns Banking Industry of Third-Party Cybersecurity Risks

Federal Reserve Board ("FRB") Governor Michelle W. Bowman cautioned banks about cybersecurity risks related to third-party technology firms and stressed the responsibility of banks to manage these risks.

In remarks at the Midwest Cyber Workshop, Ms. Bowman said that the demand for innovative and personalized products and services has increased reliance on third parties. This, she said, could expose banks to an increased risk of cyberattacks, including ransomware or exploitative hacks through third-party or external applications. Speaking on the substantial rise in the frequency of ransomware attacks, Ms. Bowman said that banks will be better positioned to handle such attacks by using a "robust, formal risk assessment process" to establish a "comprehensive action plan." Ms. Bowman also addressed obligations for banking organizations under the FRB's recently adopted computer security notification rule (see related coverage), which requires banks to report cyber incidents.

Ms. Bowman emphasized that utilizing third parties to provide products and services to customers does not relieve banks of the responsibility to conduct their activities in a sound manner, and that banks must conduct thorough oversight of any third party to ensure that it operates in compliance with applicable banking regulations. She said that banks should continue utilizing third-party services to keep pace with innovation, but cautioned that a bank should only do so if it is well equipped to mitigate the associated risks.