OCC Warns Banks: Manage Cybersecurity Risk When Partnering with Third Party Service Providers
By Bianca Ponziani
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury charged with regulating bank activity, recently released its
Banks and similar financial institutions operate in a competitive marketplace for financial products. Smaller fintech players offer the gamut of trailblazing financial products, ranging from small-business credit to digital cross-currency transfers. With an eye to efficiency and reaching economies of scale, banks increasingly partner with these entities as third party service providers to bring cutting-edge financial software and innovation in-house.
While the aim is to provide clients a one-stop shop for the most advanced financial tools available, banks’ exposure to cyber threats increases at they outsource to and share sensitive data with third party service providers. This risk is heightened when bank technology is further consolidated in the hands of fewer key players and when third parties do not implement appropriate security controls.
The Spring 2019 NRC report identifies cyber attacks on third party service providers as a key risk trend. According to OCC, partnerships with third parties must be entered into with privacy and cybersecurity considerations top of mind, especially where features such as remote access and unsupported software are part of the design. Banks must regularly monitor and update the life cycle of their systems or risk undermining the economic value of third-party partnerships.
Depending on an attacker’s objective, cyber threats have the power to expose large swaths of personally identifiable client information, cause banks to misappropriate funds, and generally disrupt business operations. While spear phishing is one of the main methods used to target banks, malicious actors are always adapting their techniques. In fact, the NRC’s report indicates that cybercrime and espionage activities increasingly target third-party service providers because they represent a single access point to multiple networks. Banks are encouraged to preemptively designate key members of their legal, compliance, and public affairs teams to improve their systems’ operational resilience and coordinate with relevant government and law enforcement agencies in the event of a cybersecurity incident.
If you have any questions on best practices for managing third-party risk in the financial sector, please contact any member of our Privacy & Cybersecurity Practice.