On June 29, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Spring 2020 (OCC Report). The OCC report sets out the key issues facing the banking system and the effects of the COVID-19 crisis on the federal banking industry. It presents data in four main areas: operating environment, bank performance, special risk topic and trends in key risks.
Those national banks and federal saving associations regulated by the OCC must identify and address those operational risks that may arise from the implementation of alternate control processes brought about in response to COVID-19, and the heightened cyber risk environment.
Operational Risks Related to COVID-19 Pandemic Impact and Response
Banks have responded swiftly and effectively to implement business continuity plans while maintaining their operations. However, new processes present potential risks and control considerations:
- Cybersecurity Vulnerabilities Associated with Teleworking Tools. Implementation of teleworking tools such as virtual private networks (VPN) and virtual conferencing services can increase cybersecurity vulnerabilities. Configure, secure and monitor these tools as appropriate. Additional steps may be required if employees use personal devices to connect to bank systems.
- Stress on Telecommunications Capacity. Increased use of online and mobile systems by customers, bank staff and third-party service providers may stress or adversely affect banks’ telecommunications capacity. Effectively manage technology infrastructures to provide additional necessary telecommunications bandwidth to maintain appropriate service levels.
- Fraud and Exposure Risk. Sensitive processes performed outside of bank properties and devices can increase the risk of fraud and potential for exposure of customer confidential information. Consider appropriate monitoring and oversight.
- Stress on Change Management Processes. Rapid implementation of new systems, including automation or processes to address evolving operating environments and customer needs, may stress existing change management processes. Apply appropriate change management, and particularly third-party risk management.
- Reduction in Service Delivery. Monitor closely operational workloads, service levels and third-party service provider performance to address potential reductions in their service delivery levels because of pandemic responses promptly.
Heightened Cybersecurity Risk Environment
Cyber threat actors continue to target banks, their customers and their third parties. These include phishing threats against bank customers and staff, and an increasing number of attacks focused on the use of “teleworking tools”: VPNs, virtual teleconferencing services and other remote telecommunication technologies.
The OCC report highlights several risk management controls for bank cybersecurity found in the “Joint Statement on Heightened Cybersecurity Risk” issued on January 16:
- Review, update and test backup, incident response and business continuity plans
- Protect against unauthorized access through the use of strong authentication
- Securely configure systems and services to protect against malware and malicious actors’ access
In addition, the OCC Report emphasizes the critical role that bank boards and management play in responding to an attack, recommends measures to build the resilience of systems and operations against cyber threats, including:
- Maintain system backups either on logically segmented portions of the network or offline media
- Test recovery capabilities to respond to ransomware or other destructive malware that encrypts or corrupts data, including backup data
Risk management and oversight must adapt as operations transition in this stressed environment.
Our Financial Services and Privacy, Cybersecurity and Data Management teams will continue to share the latest developments impacting the financial institutions sector and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on these issues.