OCC's Curry: Third-Party Risks Growing

Managing Vendor Security Is Increasing Concern
OCC's Curry: Third-Party Risks Growing
Thomas Curry

Controller of the Currency Thomas Curry warned in an April 16 speech that third-party security risks are creating increasing vulnerabilities for community banks.

See Also: Close Your Third-Party Risk Vulnerability Gap

Ensuring due diligence and ongoing risk assessments of all third-parties must be a part of every banking institution's vendor management program, he stressed in a presentation at a Washington event.

"Many smaller institutions depend upon third-party providers for their IT services, including security," Curry said. "But they still have to be able to assure themselves that these service providers have adequate controls and solid processes in place to protect them and their customers. This can be particularly problematic for community banks and thrifts that may not have the resources or specialized expertise needed to identify and mitigate these vulnerabilities."

Back in October, Curry's office issued updated guidance related to third-party risks. The update noted eight areas where banking institutions need to make improvements to their vendor management programs related to third-party relationships.

In its guidance, Curry's office pointed out that institutions face new and increased operational, compliance, reputation, strategic and credit risks when dealing with third parties.

Banks' Responsibilities

Curry's speech reinforced that banking institutions have to be responsible for monitoring and ensuring the ongoing security of the vendors with which they work, even if those vendors are subject to regulatory oversight.

"Those of you who provide services to banks are probably aware that we examine a category of vendors designated as technology service providers, or TSPs, and that we also have authority under the Bank Service Company Act to issue enforcement actions when necessary," Curry said. "Our supervision does not take the place of due diligence or ongoing monitoring commensurate with the level of risk and complexity of the arrangement."

Risk management practices haven't always kept pace with emerging risks, he said, and banking institutions that depend too heavily on a single vendor can face catastrophic consequences.

"Service providers are consolidating and leaving financial institutions more dependent upon a single vendor," he said. "As a result, deficiencies at one vendor have the potential to affect a large number of banks simultaneously."

Curry also singled out concerns about foreign-based subcontractors for third-party vendors. "Banks need to consider the legal and regulatory implications of where their data is stored or transmitted and make a determination as to whether geographic limitations are needed in their contracts," he said.

Third parties are often given access to sensitive data about the banking institutions as well as their customers, he pointed out.

FFIEC Oversight

Last year, the Federal Financial Institutions Examination Council created a Cybersecurity and Critical Infrastructure Working Group, which aims to enhance information sharing among banking regulators, law enforcement and homeland security officials, Curry noted. "This working group will also consider how best to implement the President's Executive Order on Cybersecurity, as well as how to address recommendations of the Financial Stability Oversight Council," he said

Banking institutions are cybercriminals' most sought-after targets, Curry said. "The system is also vulnerable because of the banking industry's significant reliance on technology and telecommunications, and more important, from the interconnections between these systems," he added. "Each new relationship and connection provides potential access points to all of the connected networks, thereby introducing new and different weaknesses into the system."

This is why enhanced and ongoing information sharing across banking institutions and other entities that touch financial services is critical, he said. "The FFIEC working group ... will help in the process of improving awareness across the financial system, particularly among community institutions, about the evolving nature of the cyber landscape."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.