OCC Comptroller Urges Multifactor Authentication For Financial Services Sector
On August 2, 2022, Acting Comptroller of the Currency Michael J. Hsu made remarks[1] before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council relating to the use of multifactor authentication.
At the outset of his speech, Hsu acknowledged that the financial services industry had done a “good job of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks.” However, he warned that this sense of success should be not confused with a “false sense of security” as cyber threats are “constantly evolving” and “vigilance must be maintained, especially when things are quiet.”
Hsu acknowledges that advancements in financial institutions’ information technology have created enhanced interconnectivity between those participating in the sector and have provided participants of all sizes the opportunity of equality amongst the largest financial institutions and the newest emerging financial technology (“fintech”) companies. However, the emerging opportunities also present new sets of threats and risks.
Specifically, Hsu notes that cyber incidents are no longer primarily motivated by financial interests. Now, as evidenced by attacks occurring following the Russian invasion of Ukraine, threat actors are deploying malware to simply create destruction in the industry.
In response to these threats, Hsu stated it was “essential that financial institutions continue both to invest in building a secure and resilient infrastructure and to collaborate through public/private partnerships, such as the coordinated efforts of the FBIIC and FSSCC to strengthen the defense of the financial sector.”
Importantly, Hsu stated that the majority of breaches that have occurred “have been caused or exacerbated by failure to have effective controls in the following three areas: strong authentication; effective systems configuration and patch management; and cyber response and resilience capabilities.”
Hsu encourages all financial institutions to follow the example of the OCC and implement “strong preventative controls” such as “multifactor authentication controls for access to all nonpublic systems” to serve as the “first line of defense against malicious cyber actors.”
Additionally, Hsu states that the “next most common contributing factor to cyber breaches at financial institutions has been the result of misconfigured or unpatched systems.” As such, financial institutions should ensure that their information systems are properly structured to deploy “effective incident response processes and rapid recovery in the event that preventative controls are not sufficient to safeguard against a cyber event.”