OCCs Hsu gives banks high marks on mitigating cyber risk, but says there’s more to do

The financial services sector has done “a good job” so far of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks, but there’s more work to be done, said Acting Comptroller of the Currency Michael Hsu today during remarks to financial services groups.

He noted that the OCC has observed increases in cyberattack frequency and severity against financial institutions and service providers. Cyberattacks, such as ransomware, have elevated risks beyond financial loss, Hsu said. “Disruption to financial services can significantly impact banks’ abilities to deliver critical services to their customers and has the potential to affect the broader economy. Many of the largest financial institutions … not only support their own customers, but also support critical activities including wholesale payments, trade settlement and custody.”

Hsu said cybersecurity breaches have been caused or intensified by the failure to have effective controls in three areas: strong authentication; effective systems configuration and patch management; and cyber response and resilience capabilities. He said banks need to assess the potential effect cyber incidents may have on their institutions as well as the broader financial system, adding that “effective management of basic cybersecurity controls can significantly contribute to enhancing the resilience of systems and operations against cyber threats.”