OCC Releases Fall Report on Cybersecurity Elevated Risks

Written By Haley Metteauer

On December 6, 2021, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective for Fall 2021, which outlined the elevated operational risks associated with the recently increased occurrence of cyberattacks, the impact of the COVID-19 virus, and other compliance hurdles.

Cybersecurity

The OCC has seen cyberattacks increasing in sophistication, variation, frequency, and with a greater impact on the level of operational risks.

The OCC recommends that banks “adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls to authenticate access to sensitive systems. Network systems should be properly configured and have effective patch management processes in place. Banks should also ensure that critical systems and records are backed up and stored in immutable formats that are isolated from ransomware or other destructive malware attacks.”

The OCC also recommends banks conduct a third-party risk assessment for the cyber vulnerabilities associated with their third-party vendors and a risk-based due diligence review of the services provided by the vendors to ensure the vulnerabilities are ‘commensurate’ with the criticality of the activity provided.  

The Impact of the COVID-19 Virus

According to the report, the “winding down” of pandemic relief issued by the government throughout the last few years “creates increased compliance responsibilities, high transaction volumes, and new fraud types at a time when banks continue to respond to a changing operating environment[.]”

In light of these impacts, banks should ”continue to monitor and manage changes and associated risks; ensure that new processes incorporated into their compliance risk management programs are effective and address changes in laws and regulations; manage operational challenges; and ensure compliance obligations are fulfilled while functioning with staff working remotely.”

The report further provides that the monitoring of customer complaints provides some indication as to any issues facing consumers and can form the basis of necessary action. 

Other Compliance Issues

Other compliance issues addressed in the report include:

  • responsibilities associated with underwriting and opening new accounts, monitoring customer activity, processing transactions, making loan modifications, servicing loans, communicating with customers, complying with consumer protection laws, and treating customers fairly;

  • adapting to regulatory and policy actions by the Consumer Financial Protection Bureau (CFPB);

  • the recommended practice of assessing risks climate change presents to the health and safety of their institutions due to climate events across the world, such as hurricanes, wildfires, floods, heatwaves, and sea level rise and the impacts these events will have on government policy, technology, and consumer/investor sentiment; and

  • conducting due diligence and risk management on the introduction and implementation of crypto-asset based products and services;

  • keeping risk management and control environments up to date with innovative and emerging trends.

If you have any questions or concerns about this report, please contact Kennedy Sutherland.

Haley Metteauer
Previous

U.S. GAO Recommends Urgent Need For Federal Agencies to Increase Cybersecurity Infrastructure
Next

Federal Agencies Warn of Ransomware Attacks During Holiday Season