Regulator of the year: OCC

Advanced cyber attacks threaten not only individual banks, but the financial sector and broader economy as a whole. That’s why financial regulators have made it their duty to marshal the industry’s defences against tech-savvy criminals. Leading the way is the US Office of the Comptroller of the Currency (OCC), which has proactively worked to co-ordinate responses by the private and public sectors to combat the ever-growing danger these criminals pose.  

“What you see is the maturation of the threats and capabilities of actors across the globe and domestically,” says Bob Phelps, director for critical infrastructure policy at the OCC in Washington, DC. “The technology has always existed, but the sophistication has warranted increased oversight and examination procedures.”

Phelps’ assessment is borne out by the statistics. The size of cyber attacks across industries has rocketed year-on-year. The average peak size of distributed denial of service – or DDOS – attacks increased 167% from 2015 to 2016 according to a report by Verisign, an internet security firm: from 6.02 gigabits per second to 16.1gbps. Average peak attack size against the financial industry was 10.4gbps in the fourth quarter of 2016.

Under its charter of ensuring the safety and soundness of the banking system, the OCC has supervisory authority to encourage, and if necessary, force individual banks to bolster their cyber security defences. 

“We will alert the industry to new tools and exercises to enable them to be better and stronger, but if we don’t see them doing that, we will be the cop that says you do not have sufficient risk management, and we will need to work with you and help you rehabilitate yourself,” says Beth Dugan, deputy comptroller for operational risk at the OCC, to whom Phelps reports.

The regulator also takes a hands-on approach to unfolding cyber attacks. Although banks are not required to report most incidents, under the Gramm-Leach-Bliley Act they are required to report events that result in a breach and loss of personally identifiable customer information.  If a significant event occurs, the bank must report it to the OCC, which then co-ordinates with other government agencies to assess if there’s a broader impact.

If the scale of the incident warrants it, an OCC supervisory team will be dispatched to the site. At larger institutions, the regulator has a team permanently installed. The OCC then monitors the event to assess its threat to the safety and soundness of the financial system.

OCC bank examiners receive specialised training in identifying and remedying threats, and employ a cybersecurity assessment tool (Cat) that was issued in 2015 by the Federal Financial Institutions Examination Council, a group of primary bank supervisors. “The examination is based on each institution’s risk profile,” says Phelps. “We’ve been doing Cat exams for almost two years to help us assess the cyber posture of each bank and the national banking system as a whole.”

Phelps, a former Navy intelligence officer, is responsible for establishing OCC policy related to all areas of critical infrastructure, including cyber security. The critical infrastructure policy group which he heads was established in 2013 to identify and assess systemic operational risk that could degrade or interrupt the federal banking system and prompt national economic security concerns. The group also provides management expertise, critical infrastructure resiliency and cyber security.

“Cyber is fundamentally an operational risk issue with people, processes and technology,” Phelps explains. “It’s not a technology issue alone. Very few operations inside a bank do not involve technology, but fundamentally it’s a people issue and making sure there are effective policies in place.”

The OCC has also actively worked with private sector industry groups to bolster the financial sector’s defences. These include the Financial Services Sector Coordinating Council, which outlined specific actions the US government should take to improve cyber security in a set of recommendations published on January 17, 2017, and the Financial Systemic Analysis & Resilience Center, a group of eight systemically important institutions working to identify vulnerabilities related to cyber threats.

The agency also plays a key role in the “Hamilton” series of exercises, a joint private-public project that examines the impacts to the financial sector of a hypothetical large-scale cyber attack. “We have a close relationship with the intelligence community and law enforcement,” says Phelps. “We have regular meetings with them to understand the latest threats. We’re very focused on bank risk management practices, and they can identify tactical issues.”