FAIRCON2020 Video: Deputy Comptroller Kevin Greenfield on What the OCC Expects from Banks in Cybersecurity Risk Management and Reporting
The federal Office of the Comptroller of the Currency (OCC) is serious about policing risk management at federally regulated banks and savings and loans – just in the last few weeks, it fined USAA Federal Savings Bank, Citigroup and Morgan Stanley a collective $545 million for risk management failures.
So, attendees from the financial world at the recent 2020 FAIR Conference no doubt carefully parsed the words of Deputy Comptroller for Operations Risk Kevin Greenfield in his conversation with Bill Barouski, Chief Information Risk Officer, Northern Trust Corporation, and former CISO for the Federal Reserve System.
Watch their discussion, OCC Insights for Cyber Risk Assessments on our LINK members site. FAIR Institute membership is required (join now).
Some of the insights from Greenfield:
Examiners are prioritizing on resilience these days
“We are very focused on operational resilience, how you measure cybersecurity or security risks and what impact that has on the bank’s resilience.”
And especially as resilience is impacted by third party risk
Be prepared to understand “what is the criticality to the institution if the [third party] service were to be disrupted… More and more the safety of the banks and the soundness of the banking industry has proven to be very much dependent on some of these service providers.”
Risk reporting should be…like FAIR analysis
As a regulator, Greenfield doesn’t endorse a framework, but his definition sounds a lot like Factor Analysis of Information Risk (FAIR™): “The most important thing is a consistent approach that has demonstrated effectiveness in communicating a risk picture to management and the board.”
Whatever model you use, validate it
Greenfield suggested a rigorous approach: “Confirm that the sources and the assumptions going into these metrics are on solid ground then go back and validate against the outcomes. Look at the decisions being made on the metrics presented.”
Quantify but recognize that decisions are going to be qualitative – just make sure to be transparent on both
“At the end of the day, someone has to make a qualitative call: Is this strong, is this satisfactory, or less than satisfactory and there are areas for improvement. I firmly believe you have to look at both qualitative and quantitative metrics…But it’s very important there be clear transparency of how you arrived at those decisions using both factors for executive management and the board to be able to clearly establish risk appetite for the firm.”
Related:
The SEC's New Cyber Risk Disclosure Guidance: Textbook Case for FAIR