The Fraud Blog


Tracking fraud incidents and trends wherever -- and however -- they occur.

OCC Highlights Risks to Community Banks Are DDoS Warnings a Signal of Regulatory Scrutiny Ahead?
OCC Highlights Risks to Community Banks

Banking regulators say they don't expect to issue any new guidelines specifically aimed at distributed-denial-of-service mitigation efforts.

But regulators' increased warnings about risks linked to DDoS, especially at the community bank level, suggest more scrutiny of DDoS reporting and fraud risk mitigation measures eventually could be coming.

To ensure institutions take those attacks seriously, I predict regulators to will start examining DDoS mitigation strategies. 

Last week, the Office of the Comptroller of the Currency, which issued an alert in December about account takeover risks associated with DDoS, hosted a webinar for community banks about emerging cyber-risks. OCC described strategies these banks should implement to mitigate their risks.

Key mitigation steps, the regulator stresses, include:

  • Relying on risk assessments to identify vulnerabilities and guide strategies for risk mitigation;
  • Conducting due diligence on third-party service providers and their subcontractors;
  • Demanding that third parties share information about their security and operating controls

"Management should embrace security and create a culture of security," Norine Richards, the OCC's Western District lead technology expert, said during a press call June 12. "All bank employees should understand their role."

Signs of Regulatory Scrutiny

Richards said the OCC is not anticipating new guidance linked to DDoS and other cyberthreats. Nevertheless, I believe recent warnings from regulators suggest banks should prepare for more oversight and scrutiny from examiners.

The OCC is one of three U.S. banking regulators to issue specific alerts and reports about emerging cyber-attacks. In May, the Federal Deposit Insurance Corp., in its spring edition of FDIC Consumer News, specifically addressed DDoS attacks, noting that regulated banking institutions are required to notify the public if sensitive data is ever breached during these attacks. And in February, the National Credit Union Administration warned that the fraud risks that could be associated with DDoS attacks should be taken seriously. That warning came on the heels of the OCC's December warning.

Community banks are obviously concerned about more regulatory scrutiny. Richards says many, in response to the OCC's webinar, asked whether they had to be concerned about more compliance demands. Her short answer: No.

"There will not be separate policies to address this," she said. "It has to be integrated. Cybersecurity should not be called out. ... A lot of these controls have been around for a long time, so community banks are well aware of what our expectations are. I think some will have to go back to self-assess to tighten up some of these controls, but all of these things should have been in place."

Community Banks at Risk

But it's no secret that many community banks have brushed off their DDoS risks, at least until very recently. In fact, many of these institutions have yet to adequately address any of their cyber-attack risks.

With so many regulators taking steps to educate banks, especially community banks, about emerging DDoS risks, it's obvious that this is an area all institutions have to address.

"The OCC understands community banks face challenges when it comes to getting or having adequate IT," Richards said. This is why they should lean on their regulatory portfolio managers and information sharing with peer banks to help ensure they fill their security gaps, she added.

The regulatory body says it expects to provide situational awareness training about emerging attacks. I've not seen any other regulator announce similar plans, but I suspect those will be forthcoming.

Let's face it. With all of the attention being paid to mitigation plans and strategies, regulators have made it clear they're taking all cyber-attacks, including DDoS attacks, very seriously.

To ensure institutions take those attacks seriously, I predict regulators to will start examining DDoS mitigation strategies.

Admittedly, it's the last thing community banks want. But it's likely something they need.

About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network