On December 6, 2021, the National Risk Committee of the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2021, which reports on key issues affecting the federal banking system. The report highlights the “evolving and increasingly complex” danger to the financial system from cyber threats, and encourages banks and financial institutions to adopt robust cyber controls to minimize operational risk. It also stresses the need for risk-management policies and procedures that are tailored to new technological innovations, including cryptocurrencies and other digital assets.
The OCC’s publication further highlights the need for financial institutions to assess their cybersecurity policies and controls and to ensure they have adequate procedures in place to address the evolving threat picture and regulatory landscape.
Federal regulators like the OCC are engaging in ongoing efforts to address the heightened cybersecurity risks faced by financial institutions and to encourage those institutions to reevaluate the adequacy of their cyber safeguards. For example, as discussed in our previous blog post, the OCC, the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (Board) recently announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents.[i] With the subsequent publication of its Semiannual Risk Perspective on December 6, the OCC is again signaling to the financial industry the need to make cybersecurity risk management and compliance a top priority.
The Semiannual Risk Perspective
The OCC’s National Risk Committee (NRC) includes senior government officials who supervise banks and develop bank supervisory policy that addresses key industry trends. The NRC’s Semiannual Risk Perspective addresses issues facing the financial industry in five key areas—operating environment, bank performance, special topics in emerging risks, trends in key risks, and supervisory actions—and focuses on risks “that pose threats to the safety and soundness of banks and their compliance with applicable laws and regulations.”[ii] This post addresses some of the key cyber-related issues from the report.
Cybersecurity and Operational Risk
After noting the “increase in ransomware attacks in financial services,” the OCC’s report stressed that “[o]perational risk remains elevated as cyber attacks evolve, become more sophisticated, and cause damage to a variety of industries.”[iii] The report specifically mentioned the “[e]xpansion of remote financial services via personally owned computers and mobile devices, remote work options, such as virtual private networks, and reliance on third-party providers to include cloud-based environments” as technological developments susceptible to illicit cyber activity.[iv]
In response to the evolving cyber landscape, the OCC made specific recommendations for financial institutions, including:
- adopting robust threat and vulnerability monitoring processes;
- implementing stringent and adaptive security measures such as multi-factor authentication or equivalent controls to authenticate access to sensitive systems;
- confirming that network systems are properly configured and have effective patch management processes in place;
- ensuring that critical systems and records are backed up and stored in immutable formats that are isolated from ransomware or other destructive malware attack; and
- assessing risks from third-party vendors and partners, inclusive of the supply chain, by conducting risk-based due diligence commensurate with the criticality of the activities provided by the third parties.[v]
Additionally, the report stressed that institutions are responsible for implementing risk management policies that “keep pace with innovation and emerging trends,” and that “a comprehensive understanding of risk should be achieved to preserve effective controls . . . commensurate with the size and complexity of products, services, and operations being supported.”[vi] In this context, examiners like the OCC will exercise continued oversight to assess how institutions are complying with their industry-specific regulatory requirements as technology develops.
The OCC pointed to additional resources for banks in assessing their cybersecurity capabilities including the Information Technology Examination Handbook maintained by the Federal Financial Institutions Examination Council (FFIEC), which addresses secure and resilient architecture design, infrastructure implementation, and operation of information technology systems.
Digital Assets in the Banking Sector
The OCC’s report highlighted a specific innovation in the financial sector and its implications from a risk-management perspective: the rise of cryptocurrencies and other digital assets. The report observed that the “[g]rowing interest in cryptocurrencies has led some banks to explore the development of crypto-custody services, crypto-asset derivative products, or the provision of access to third-party crypto-related products.”[vii] This in turn reinforces the need for adequate policies and procedures “to identify and address strategic, operational, compliance, and reputational risks” presented by such products and services.[viii] Importantly, the OCC noted that it “is approaching crypto-related activities in the federal banking system very carefully with a high degree of caution and expects its supervised institutions to the do the same,” including by “reach[ing] out to the appropriate OCC supervisory office before engaging in crypto-related activity.”[ix]
Along with the Federal Reserve and the FDIC, the OCC is part of a Digital Assets Policy Initiative that plans to provide additional guidance throughout 2022 on crypto-related activity in the financial space. Specifically, the agencies in the Initiative plan to provide greater clarity on whether certain activities related to crypto-assets conducted by banks—including crypto-asset custody services, facilitation of customer purchases and sales of crypto-assets, loans collateralized by crypto-assets, issuance and distribution of stablecoins, and activities involving the holding of crypto-assets on balance sheets—are legally permissible. They also plan to provide expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations.[x]
The OCC’s Semiannual Risk Perspective for Fall 2021 is another reminder for financial institutions—and for companies across industries—to take seriously their obligations to adopt robust cyber controls and risk management procedures that adequately reflect new technologies and the evolving threat picture. Companies should work with internal personnel and outside advisors to, among other things, keep abreast of key developments and trends in cybersecurity; develop or strengthen internal cyber polices and controls tailored to their businesses; and ensure adequate mechanisms are in place for compliance with cyber-related regulations. In particular, companies in or seeking entrance to the digital-asset space should ensure they are sufficiently prepared for the substantial regulatory challenges involved.
 Office of the Comptroller of the Currency, National Risk Committee, Semiannual Risk Perspective: Fall 2021 (Dec. 6, 2021), https://www.occ.treas.gov/publications-and-resources/publications/semiannual-risk-perspective/files/pub-semiannual-risk-perspective-fall-2021.pdf.
[i] See Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66424, 66437 (Nov. 23, 2021), https://www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf.
[ii] Semiannual Risk Perspective, supra note 1 at ii.
[iii] Id. at 18.
[v] Id. at 18, 20.
[vi] Id. at 19–20. The OCC observed that innovation can provide many benefits to banks and their customers, but also presents risks. Specific “[e]xamples of areas of continuing innovation” in the financial space noted by the OCC “include faster and real-time payment products, increased use of mobile and digital technologies to deliver financial services, application programming interfaces, data aggregation services, and contactless payment devices.” Id. at 19.
[vii] Id. at 20.
[ix] Id. at 19.
[x] Id. at 21.