Comptroller of the Currency, Thomas J. Curry, made a speech at the Exchequer Club in Washington, D.C. on September 18, 2013 in which he discussed the increasing risks to banks and the financial system from the growing sophistication and frequency of cyberattacks. The Comptroller pointed out that hackers now can conduct their activity from almost any location and the cost of the tools used by hackers “has dropped precipitously” and sometimes can be obtained without any cost. At the same time, the operational risks to banks are increasing, said the Comptroller, because banks are increasing their reliance on technology and telecommunications and because banks’ systems are often interconnected, directly or through third-party vendors and servicers. The Comptroller noted that there is every reason to think that these risks will continue to increase as banks are today “leveraging cloud computing, social media, mobile banking, and new payment solutions and it is impossible to guess what opportunities technology will bring ten years from now.” The Comptroller also suggested that as the largest banking institutions strengthen their defenses against cyberattacks, hackers may increasingly focus attacks on community banks.
Comptroller Curry stressed the importance to banks that their respective boards and senior management understand the risks posed by cyberattacks and “set the right tone at the top” to inculcate risk management into the culture at their banks. He also stressed that, to address cybersecurity compliance effectively, banks need to communicate with each other, their regulators and other relevant government agencies. As an example of how bank regulators are working collectively to consider cybersecurity issues, Comptroller Curry stated that, in his capacity as Chairman of the Federal Financial Institutions Examination Council (“FFIEC”), he has appointed an FFIEC Cybersecurity and Critical Infrastructure Working Group that “is already meeting with intelligence, law enforcement, and homeland security officials” to consider “how best to implement appropriate aspects of the President’s Executive Order on Cybersecurity, as well as how to address the recommendations of the Financial Stability Oversight Council.”