Cyberthreats are changing banking: banks and their corporate customers will need to adapt to not only new online threats, but also new regulations being put in place to protect the U.S. financial system.

• Author: Petrasic, Kevin L.
• Position: Cybersecurity

In its Spring 2013 Semiannual Risk Perspective Report, released in the summer, the Office of the Comptroller of the Currency (OCC) highlights the increasing sophistication of cyberthreats and the increased reliance on technology as a key operational risk for banks under its supervision.

The OCC report specifically notes that "increasingly sophisticated cyberthreats, expanding reliance on technology and changing regulatory requirements are heightening operational risk," and posing a threat to "confidentiality, integrity and availability of [bank] systems."

Cyberthreats, the report notes, require "heightened awareness and appropriate resources to identify and mitigate the associated risks," and the costs and resources required to mitigate the risks are growing with the scale of such risks.

The costs of failing to address cyberattack risks, however, are greater, including compromised availability or diminished response times for online banking services, as well as data security issues, fraud, identity theft and criminals seeking to disrupt, degrade or deny access to bank information systems. All of this can "strain bank resources and can cause financial, operational and reputational harm," the report adds.

Raising the stakes even higher, a recent Pew Research survey indicates that more than half of all U.S. adults (representing 61 percent of Internet users) bank online. The survey also notes that more than a third of cellphone users engage in mobile banking. And the numbers for both categories are expected to continue to climb.

As the industry strains to keep up with the demand for online and mobile banking services--and newer and more sophisticated cyberthreats continue to emerge--banks, in an effort to reduce operating costs, are adopting newer and "less market-tested applications" and increasing outsourcing.

This raises another hot button issue for federal bank regulators--the ability of banks to understand the risks associated with third-party vendor strategies and to provide effective oversight of cybersecurity outsourcing solutions.

According to the OCC, regulators are reviewing "programs for assessing the evolving cyberthreat environment and continuously adjusting controls, as well as for robust vulnerability assessments and timely correction, access management and incident response."

Rather than issue new regulations, for now it appears that the regulators are focusing on corporate governance tools to monitor and address cyberthreats and related bank operational risks. It is clear, however, that the banking agencies stand ready to take policy and supervisory actions in response to increasing cyberthreats.

Cybersecurity Efforts at the Federal Level Increases

Congress is also focusing on cybersecurity issues, with the House passing the Cyber Intelligence Sharing and Protection Act (CISPA) in April. The legislation would facilitate the exchange of information among corporations and between the private sector and government intelligence agencies regarding cybersecurity risks.

Critics argue CISPA should require personal data to be stripped from information that companies share with the government. While the Senate has yet to hold a vote on CISPA, another bill, the Cybersecurity and American Cyber Competitiveness Act of 2013, was...