Priya Patel
TLDR:
– Banks need to address gaps in their efforts to manage third-party cyber risk, according to Michael Barr, Vice Chair for Supervision at the U.S. Federal Reserve.
– Barr expects cyber threats against the financial services industry to become increasingly disruptive, with ransomware and third-party risks being major threats to banks.
In the Wednesday conference, Barr emphasized that banks’ reliance on third-party service providers has grown in recent years, increasing the potential for cyber risk. He stated that it is the responsibility of banks to manage their third-party risk, but historically, there have been gaps in this area.
Barr highlighted the need for banks to uncover vulnerabilities in their systems and address them before attacks occur, but he also stressed that defense is not sufficient. He encouraged banks to focus on resilience to successful cyberattacks by developing and regularly testing business continuity plans.
Regarding cyber risk quantification techniques, Barr mentioned that they are still in their early stages, partly due to a lack of good data. However, he expects that cyber incident reporting will contribute to the development of these techniques. Banks are already required to comply with security incident reporting rules, but a law passed in 2022 will demand that banks and other companies report certain cybersecurity incidents to the federal government within 72 hours.
According to banking industry lobbyists, this 72-hour rule will enable the Cybersecurity and Infrastructure Security Administration to produce reports about threat actors and provide early warning of potential attack vectors.
Barr also believes that insights on the interconnectedness of financial companies and service providers will improve cyber risk quantification. Understanding the impact of incidents on the broader financial system will help banks and supervisors better measure the direct and indirect costs of a cyber disruption.
In summary, banks need to address gaps in managing third-party cyber risk and focus on uncovering vulnerabilities, building resilience to cyberattacks, and improving cyber risk quantification techniques.
