Operational Risks: Cyber, Fraud Risk Innovation & More
Samantha: Hello, this is Samantha Shares.
This episode covers the O C C's Fall
2024 Operational Risk report, focusing
on cybersecurity, operational resilience,
innovation, and fraud risk management.
The following is an audio
version of that document.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the O C C's Fall 2024
Operational Risk report, focusing on
cybersecurity, operational resilience,
innovation, and fraud risk management.
CYBERSECURITY
Operational risk remains elevated as
cyber threat actors continue to evolve
and refine their tactics by using
more advanced technology, such as A I.
Simultaneously, banking services
continue to engage with third
parties, including fintech firms,
expanding the cyberattack surface.
Thus, the probability of occurrence
and the potential impact of
cyber incidents are increasing.
This complex, interconnected
operating environment amplifies
the importance of third-party risk
management, change management, and
operational resilience measures.
A financial entity's exposure to cyber
threats and operational disruptions
extends beyond its own network.
Threat actors are increasingly
targeting vulnerabilities and deficient
security practices at financial service
providers and their third parties.
The O C C continues to see compromised
systems involving the exploitation
of publicly known vulnerabilities
on internet-accessible networks.
This underscores the need for
banks to maintain an inventory of
assets and external connections and
remediate vulnerabilities promptly.
It is important that banks maintain
effective change management and
third-party risk management, including
ensuring that third parties throughout
the bank's information technology supply
chain are adhering to secure software
development standards to reduce the
risk of disruptions or compromises.
Additionally, it is critical that banks
and their service providers have effective
threat and vulnerability monitoring
processes and security measures, including
the use of multi-factor authentication (M
F A), hardening of systems configurations,
testing software updates before
implementation, phased rollouts of
software updates, timely vulnerability
patch management, and immutable backups.
The O C C continues to monitor the
progress toward quantum computing
capabilities and the associated risks
to general encryption techniques.
On August 13, 2024, the National
Institute of Standards and Technology
(N I S T) finalized its principal set of
encryption standards designed to withstand
cyberattacks from a quantum computer.
The new standards are designed
for general encryption and digital
signatures, which are critical to
protect information and authentication.
The process for transitioning to
these new post-quantum computing
(P Q C) standards will likely take
years to fully test and implement.
Banks are encouraged to conduct
inventories of where encryption is
used within their operations and work
with third parties to assess their
P Q C transition plans to ensure
long-term security and interoperability.
Institutions that develop their
own software are also encouraged
to begin the migration process.
OPERATIONAL RESILIENCE
An effective operational resilience
strategy can enhance a bank's ability
to mitigate disruption events, including
cyber incidents, disruptions at third
parties, change management issues, and
other technology or operational outages.
Operational resilience was highlighted
in mid-2024 when a flawed software
update at a large cybersecurity firm
and weaknesses in change management
programs caused global operating
disruptions, shutting down systems
across many sectors, including financial.
Testing and validating operational
resilience plans are appropriate to
enable banks to respond to disruptions.
Clear expectations should be in place
for testing and certifying that a cyber
event or other disruption at a third
party has been effectively remediated.
Validation and confidence are
critical before reconnecting
that third party's systems to
appropriately mitigate contagion risk.
INNOVATION AND ADOPTION OF
NEW PRODUCTS AND SERVICES
Banks continue to adopt new technology
and innovative products and services to
further their digitization efforts and
meet evolving customer expectations.
Banks' incorporation of new technologies,
including cloud computing and engaging
with fintechs, may help banks of all sizes
gain efficiencies and provide products and
services to customers, often at lower cost
and with enhanced customer experience.
In addition to benefits, new technology
and innovative products and services
may increase the complexity of banks'
operating environments, pose new
risks, or exacerbate existing risks.
Banks' increasingly complex relationships
with fintech firms may increase the
complexity of the operating environment
and expose banks to a wider range of risks
than traditional third-party arrangements.
Effectively adopting new and modified
products and services includes appropriate
due diligence, enterprise change
management, and risk management processes
when considering changes to products,
services, and operating environments.
Assurance functions, such as audits,
should be considered as part of
planning, implementation, and
ongoing monitoring of operational
changes or increased complexity.
Banks generally have approached
A I adoption cautiously.
Although A I and machine learning (M L)
have been around for years in banking,
new capabilities such as those arising
from generative A I can present greater
compliance and operational risks.
Training large language models requires
effective data quality governance.
Many banks and service providers
face challenges with maintaining
legacy technology architectures
while responding to these and other
increasing digitization demands.
It is important for banks to maintain
an effective technology architecture
strategy, commensurate with the size
and complexity of products, services,
and operations being supported.
Technology strategies should include
processes for managing and mitigating
risks from technology assets that
have reached their end of life.
Banks considering or engaging in custody
services for digital assets (including
cryptocurrencies), holding stablecoin
reserves, or participating in distributed
ledger transaction verification
should establish and maintain prudent,
effective risk management practices.
Some assets may present
unique operational risks.
Banks are reminded to follow O
C C processes before engaging in
certain cryptocurrency, stablecoin,
and distributed ledger activities.
FRAUD RISK MANAGEMENT
As fraud targeting banks and their
customers continues to increase, it
is important for fraud risk management
approaches to keep pace with a
bank's evolving fraud risk profile.
Effective fraud risk management
includes reporting risk to senior
management and the board on a
timely, comprehensive basis.
Additional considerations include
confirming that control systems
encompass both preventative controls
to deter fraud and detective controls
to identify and respond to fraud in
a timely manner once it has occurred.
Results of ongoing control testing
should inform the redesign of
existing controls, the implementation
of new controls, and the addition
of qualified staff, as needed.
Effective customer identification
and verification processes at
account opening and appropriate
monitoring throughout a customer's
banking relationship are critical.
Confirming wire instructions, verifying
identity, and effective authentication
controls are critical to preventing scams
that are perpetuated using wire transfers.
Verifying the accuracy of the
transaction has caught and thwarted
efforts to wire funds to fraudsters.
Similarly, alerts and other messages
introducing small frictions in
P2P and other transactions could
help consumers pause before making
a payment to an unknown party.
Identifying S A Rs on fraudulent activity
in a timely manner remain important
to protect both banks and consumers.
Technology can help to flag suspicious
activity, support prudent authentication,
and block suspicious transactions until
further authentication has occurred.
THIRD-PARTY RISK MANAGEMENT
Banks should guard against complacency
and ensure that fundamental risk
management practices, including
third-party risk management, remain sound.
Technological advances have continued
the increasing trend of banks
and trust companies outsourcing
operations and entering relationships
with third parties to deliver
financial products and services.
Effective management and oversight
of third-party relationships
are essential and generally
follow a continuous life cycle.
Third-party risk management processes
should be commensurate with the bank's
size, complexity, and risk profile,
and the criticality of activities
supported by the third-party.
A third-party relationship may expand or
grow throughout the banking relationship.
Ongoing monitoring activities should
remain commensurate with the changes
in the level and type of risk
and any expanded use of services.
Banks should consider
interagency guidance.
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.
