Fed’s Barr: Banks need to think beyond cyber defense

Cybersecurity preparedness has become increasingly important for banks but focusing on defense is not enough—banks must also develop and regularly test business continuity plans, Federal Reserve Vice Chairman for Supervision Michael Barr said Wednesday. Speaking at a Boston conference on cyber risk in the financial sector, Barr said techniques to quantify cyber risk are still at “a nascent stage,” in part because of a lack of good data.

“Cyber threats are constantly evolving, and we can expect them to become increasingly disruptive as technology advances and our financial system becomes more interconnected,” Barr said. “In the past few months, ransomware attacks have disrupted the ability of some financial institutions to offer a variety of banking and market services, including Treasury clearance and settlement and access to online banking and ATM operations. These incidents were resolved without significant disruption to the broader market, but they are stark reminders of the potential for cyber incidents to generate broader, even systemic risks, and the importance of addressing these risks.”

Barr also said that reliance by banks on third-party vendors has grown in recent years, which introduces the potential for greater cyber risk. “It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard,” he said, pointing to guidance issued by the banking agencies last year for managing third-party risk.