A top US banking regulator has warned that more legislation may be needed in the fight against an ever-growing cyber-security threat.
Earlier this year President Barack Obama signed a cyber-security executive order designed to improve collaboration and information sharing between the government and critical infrastructure providers such as banks.
In a speech this week, Comptroller of the Currency Thomas Curry said that in line with the order his agency and others are examining whether their supervisory authority is up to the challenge of the cyber age.
Curry told his audience that his office needs to make sure that it is talking full advantage of its current powers: "But if we determine that legislation is needed to fill gaps in our authority, I can assure you that we will move promptly to raise our concerns to Congress."
In his speech, the Comptroller warns that cyber-attacks are growing in frequency and sophistication. The spate of DDoS hits on bank We sites over the last year may have caused minimal damage but there is the potential for not only disruption but destruction of systems, hitting public confidence in the whole industry.
The tools and infrastructure used by hackers are becoming easier and cheaper to access while banks are becoming more vulnerable because of their reliance on technology, telecommunications, and the connections between them.
With so many third parties also involved "each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system. Ultimately, these interconnected networks are vulnerable to attacks that may affect multiple organisations at one time," says Curry.
Things are only going to become more complicated, warns the speech, because while new technologies, such as cloud computing, social media and mobile banking are a boon for customers, they also expand exposure to cyber attacks, with each new product introducing an new set of weaknesses into the system.
Banks may be under pressure to be at the forefront of innovation but "early adoption of new applications and technology could outpace our ability to identify and mitigate the vulnerabilities during the product design phase, thereby providing new exploit opportunities for cyberattackers," warns Curry.
The Comptroller says that he has some faith in the ability of big banks, with massive resources and large IT security teams, to fight off attacks. However, he warns that hackers will increasingly turn their attentions to small community banks with less sophisticated defences and a reliance on outside IT vendors.
To help these small banks defend themselves, Curry says that the OCC is devoting greater resources and has appointed a senior critical infrastructure officer to work with officials across government and the private sector. Meanwhile, a series of briefings and outreach events have already attracted around 750 institutions.
Concludes Curry: "The OCC stands ready to help the institutions we supervise in any way we can...But this is not a problem that can be addressed by one agency alone or by any one institution acting on its own. It is a threat that we can deal with only if we work together in a collegial and collaborative way for the good of our country."
Read the full speech text here
Cyber security threats were also on the agenda at the annual congress of international securities regulatory co-ordinating body Iosco earlier this week. At a round table immediately preceding the board meeting, regulators and five external experts drawn from industry, think tanks and government agencies examined the growing risk of cybercrime as a disruptive force in global financial markets.
"Participants agreed that cybercrime can have a serious impact on the integrity and efficiency of global markets, the protection of investors and ultimatelyon trust and confidence in the financial system, thereby posing a systemic risk," says Iosco, in a statement. "Members agreed on the importance of focusing on identifying where the biggest vulnerabilities are in financial markets and what practical mitigation measures might be possible."