Comptroller of the Currency Thomas Curry spoke on Wednesday on the growing threat of cyberattacks and concerns regarding financial institutions’ reliance on third parties to secure their own systems.
“The fact is, we live in a world where consumers use their cellphones to deposit checks, pay bills over the internet and make purchases at the mall by swiping a credit card, and they’re very sensitive to any suggestion that those systems might not be secure,” Curry said in prepared remarks at a recent electronics industry conference.
Curry said consumers likely do not think about the role of payment and settlement systems, adding that an attack on such systems could be even more damaging than a data leak at a large retailer.
“It’s one thing to worry about whether someone is making charges on your credit card, as troubling as that might be,” Curry said. “It’s quite another to worry about whether the accounts that hold your life’s savings are secure.”
Curry said banks rely on third parties to support their business activities and systems, and the interconnectedness of payment system participants “provides potential access points to all of the connected networks, thereby introducing new and different weaknesses into the system.”
Curry said the OCC has taken enforcement actions against several larger institutions for their “poorly-managed third-party relationships” but added that he does not discourage the use of third-party companies.
“[W]e do expect the banks and thrifts we supervise to recognize that third-party relationships also pose significant risks, and any institution that supplements its own resources with outside providers needs to have risk management practices in place that are commensurate with that risk,” Curry said.
As larger institutions seek to improve their security, Curry said hackers will likely focus their attention on community banks and other smaller institutions that can be an access point for larger networks.
“As a result, we are particularly focused on controls and risk management practices employed by vendors that provide services to banks and thrifts,” Curry said.
Additionally, Curry pointed to a related trend of reliance by banks on outside vendors to support critical activities and the access third party firms have to large amounts of sensitive consumer data.
“All of these risks are manageable,” Curry said. “But they must be managed. Some banks that historically have been regarded as well-managed have found themselves in trouble because they underestimated the risk in third-party relationships and didn’t have the right controls in place. As a result, they faced credit losses, compliance problems, litigation exposure and loss of reputation.”