OCC warns of heightened operational risk threats

Businesses lost $2.3 billion from 2013 to 2016 because of email fraud, says US regulator.

The US Office of the Comptroller of Currency (OCC) warns of continuing elevated operational risk in its Semiannual Risk Perspective. The US regulator put special emphasis on business e-mail compromise (BEC), a type of cyber attack which has resulted in: “More than $2.3 billion in losses across all businesses, from October 2013 through February 2016, according to the Federal Bureau of Investigation.”

The OCC defines BECs as a “sophisticated scheme” where criminals organise social engineering attacks through email to steal personal data of bank employees. The stolen identities are then used to request wire transfers to fake accounts. Bank employees approve the criminal transactions because they see them coming from what looks like regular personnel within the bank.

The report states that: “Banks and their employees, customers, and third-party relationships remain vulnerable to cyber attacks. A common point of entry into internal systems involves a phishing attack aimed at an employee, customer, or third party. Such an attack may result in cyber criminals gaining access to infrastructure and applications through downloaded malware.”

According to the OCC the number of reported critical vulnerabilities in common software platforms has increased, while crypto currencies have facilitated both payments for criminal acts and ransom requests (for example in DDoS attacks) by enabling anonymous transfers of money for cyber criminals.

The regulator cites third-party vendors as another source of risk: “The number, nature, and complexity of domestic and foreign third-party relationships continue to expand, increasing risk management challenges. This reliance may also present concentration risk.”

According to the report, cyber resiliency in banks issues stem from inadequately incorporating “resiliency considerations, including recovery from cyber events, into their overall governance, risk management, and strategic planning processes.”

The OCC goes on to note that while operational risk is concentrated in top-tier banks, it is increasing among small banks.

Tweet about this on TwitterEmail this to someoneShare on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>