In his remarks before a CES Government meeting, Comptroller of the Currency Thomas J. Curry discussed cybersecurity and the Office of the Comptroller of the Currency’s (“OCC”) recent guidance on managing third-party relationships.
Comptroller Curry stated that, while the financial industry is not the only sector at risk for cyber-attacks, it is one of the most attractive targets for terrorists and criminals alike. Comptroller Curry stressed that he is not trying to discourage the use of third-party vendors, but added that they pose significant risks in the realm of IT systems and information security.
Comptroller Curry mentioned three specific risks related to third-party cybersecurity: (i) the extent to which service providers are consolidating and leaving financial institutions more dependent upon a single vendor, (ii) the increased reliance by banks on outside vendors, including foreign-based subcontractors, to support critical activities, and (iii) the access that third parties have to large amounts of sensitive bank or customer data. He noted that the OCC issued an updated guidance, which will be updated frequently, that focuses on risk-management practices to address these concerns and others.
See: Comptroller Curry’s Speech.
See also: OCC Risk Management Guidance.