The Biden administration issued an unusually broad executive order in May addressing cyberattacks against federal government agencies (including the Federal Reserve, FDIC, and OCC) and companies that contract with them, noting these “incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable.” As a result, examiners may look more deeply into financial institutions and their third-party relationships (TPRs) that provide, for example, debit cards for government benefits in an effort to ensure processes, procedures, and technologies are firmly in place to avert an attack.
Economic growth is forecast to reach 6.3% in 2021 assuming people continue to get vaccinated, COVID-related restrictions ease, and more confident consumers increase spending. A booming economy is good news, though it also brings elevated operational risk requiring monitoring and adjustment of internal risk controls, resolution, and mitigation strategies to adapt to an increasingly complex technology and cybersecurity environment.
Although immediate financial gain through phishing attacks that target IT networks remain the most common threat, gaining access to unemployment and economic impact payments happens more and more frequently as fraudsters take advantage of the billions of dollars in government funding flowing through the financial system. Ransomware attacks coordinated between multiple intruders also continue to impact organizations forced to pay extortion demands or risk the release of sensitive information. These attacks influence not only current operations, but also business continuity planning by challenging assumptions about what it takes to contain an intrusion, notify impacted parties, and ensure safe storage of critical data.
Another concerning trend: software developers that help maintain IT infrastructures are being compromised so malicious attacks can be distributed through updates to their products. This is another important reason for leadership to continually monitor TPRs.
A recent OCC, FDIC, and Fed interagency paper, Sound Practices to Strengthen Operational Resilience, details regulations and guidance to address operational resilience – the ability to deliver critical operations and core business lines by coupling operational risk management with sufficient resources to prepare, adapt, withstand, and recover from a cyber incident or other disruption.
Click here to read Sound Practices to Strengthen Operational Resilience >
https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-144a.pdf