Skip to main content

Guru Briefs – OCC on Cybersecurity & MRA’s, FFIEC on Cybersecurity Assessments

(NOTE:  Guru Briefs are short takes on recently released regulatory activity. They are not a detailed analysis, but designed to draw attention to the Guru’s initial impressions.)

In this edition:

  • The OCC has been particularly active on the regulatory front lately, and even non-OCC institutions may want to pay attention, as the head of the OCC is also the Chairman of the FFIEC.  I comment on 3 recent OCC pronouncements.
  • The FFIEC has completed the cybersecurity risk assessments, and issued some observations.

First up, the OCC recently updated their guidance on Matters Requiring Attention, or MRA’s.  Classified generally as examination “findings”, MRA’s are the most severe type of findings, as they require the immediate attention of senior management and timely (i.e. rapid) corrective action.  While it’s good to see this process standardized (at least among OCC examiners, other agencies have yet to follow suit), what struck me was how the “open” items (those items that have yet to be corrected) were classified.  Particularly one that I haven’t seen before…”Self-identified”.  A “Self-identified” MRA is defined as:

“A significant unresolved concern that the bank initially discovered.  A bank’s action to self-identify concerns is an important consideration when the OCC assesses the adequacy of the bank’s risk management system.

So in other words, you discovered a deficiency first, and then either brought it to the attention of the regulator or they found it.  Instead of counting against you. this actually strengthens the regulator’s view of your risk management system.  Essentially this is an MRA that has a positive impact on your institution!  I’ve discussed this “control self-assessment” process before.  Don’t be afraid of finding problems, it’s much better that you find them then the regulator!

Next up from the OCC, the Chairman (Thomas J. Curry) gave a speech on cybersecurity to the 10th Annual Community Bankers Symposium recently.  Here are a few of my observations:

  • Smaller institutions may be more at risk from cybercrime because of their lack of internal resources compared to larger institutions, so collaboration with information sharing organizations is particularly important.
  • Management is encouraged to incorporate cyber-incident scenarios into their business continuity and incident response planning.
  • It’s “extremely important” for management to understand their risk exposure to cyber-threats and vulnerabilities.
  • Because of the high degree of connectedness among institutions and their third-party providers, managing those relationships is vital.  Curry states that “third-party relationships have been a significant area of concern for years, and not just in the area of cybersecurity.”  The agency has, and will continue to, play a role in watching over these providers, but they stress that their supervision “does not take the place of due diligence or ongoing monitoring” on your part.

Lastly from the OCC, could we see merchants held to the same security standards as financial institutions?  Consider this statement from Chairman Curry in the same speech:

“…we need to level the playing field between financial institutions and merchants. The same expectations for security of customer information and customer notification when breaches occur should apply to all institutions. And when breaches occur in merchant systems, it seems only fair to me that they should be responsible for some of the expenses that result.”

This is long overdue in my opinion, merchants are considered the weakest links in the cybersecurity chain.  The challenge will be enforcing it.  Until merchants are under the same regulatory burden as financial institutions, they will have no incentive to comply.  PCI-DSS has been proven ineffective, after all both Target and Home Depot claimed to be PCI compliant prior to their breaches.


Finally, the FFIEC has concluded their cybersecurity assessments and issued some general observations.  Summarizing:

  • Management must understand their own cybersecurity exposure (see OCC Chairman comments above).
  • Key to this understanding your cybersecurity status is understanding who connects to you, and how.
  • Manage your third-party relationships, and understand how your vendors are managing their third-parties.
  • Expand your disaster recovery and incident response processes to incorporate cyber incident scenarios (again, see Chairman Curry’s remarks above).

…and last but not least…

  • “As a result of the Cybersecurity Assessment,  FFIEC members are reviewing and updating current guidance to align with changing  cybersecurity risk.”  In other words, new guidance is on the way!