Banking Exchange Magazine Logo

Comptroller to community banks: Boost cyber security

 All banks must know of—and prepare for—cyberrisk

Comptroller to community banks: Boost cyber security

Community banks are particularly vulnerable to merchant data breaches, even if they are not involved directly, Comptroller of the Currency Thomas Curry believes. Smaller institutions face costs of customer compensation, risks to reputation, and vulnerability to lapses in third-party precautions.

To that end, Curry, speaking to community bankers recently, said that he expects banks of all sizes to seriously consider participating in the Financial Services Information Sharing and Analysis Center, as well as making cybersecurity planning a top issue for banking leadership.

“Financial institutions are often on the hook to compensate customers for fraudulent charges, and replace credit and debit cards and monitor account activity for fraud at significant costs,” said Curry. “That’s not easy for any bank, but it’s a burden that falls especially heavily upon community institutions. At a cost of $5 or more per card and covering the related fraud charges, the costs can run up very quickly.” [Read Curry’s speech text.

As chairman of the Federal Financial Institutions Examination Council, Curry created a Cybersecurity and Critical Infrastructure Working Group that conducted a pilot cybersecurity examination work program this summer at 500 community banks. Observations from that pilot recently were released, along with lists of questions bank leaders should consider asking their staffs regarding risks related to cybersecurity. 

Discussing the document, Curry said that it encourages management to incorporate cyber-incident scenarios into business continuity and disaster recovery planning.

“The report stresses that management should consider how it will respond to a cyber-attack, not just internally, but with customers, third parties, regulators, and law enforcement,” said Curry.

Curry noted that management should be asking questions about the types of data connections their company has with other institutions and third parties, and whether all of those connections are properly managed.

FFIEC also recently issued a statement recommending that financial institutions of all sizes participate in FS-ISAC.

“With threats evolving so rapidly, we expect management at every institution we supervise to monitor and maintain sufficient awareness of cybersecurity threats and vulnerabilities. The FS-ISAC is an important resource for institutions to identify, respond to, and mitigate cyber-threats and incidents,” Curry said.

Speaking more generally, Curry warned bankers about the cyberrisks related to complexity and interdependency, and especially the risks community banks face when using third-party contractors.

“Complexity and interdependency create opportunities for hackers to gain access to the systems of financial institutions and the third-party vendors that provide services to the industry. Not only do financial institutions need to have good controls over their own systems, they need to monitor carefully the ways in which they connect to vendors, how these contractors manage their systems, and how these vendors connect to still other third parties.

“Financial institutions also need to be aware of the various ways in which even their own employees may inadvertently create opportunities to compromise systems, by introducing personal (and possibly corrupted) devices into bank networks. In a highly interconnected environment, it can be very difficult to identify and address all of the potential vulnerabilities a bank might face,” Curry says.

Curry acknowledged that his expectation were high.

“But the stakes are high as well,” he said. “The industry’s reputation is at stake, as is the trust that consumers place in their financial institutions. Financial institutions of all types and sizes have a lot of work ahead of them.”

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected].

back to top


About Us

Connect With Us


CSI: Hawthorn River
Lending Regulatory Compliance

WEBINAR: Tuesday, May 21st, 2024, 2:00 CT / 3:00 ET

Join us to learn more about leveraging technology in Hawthorn River to support your lending process and its regulatory compliance. From 1071, TRID, HMDA, CRA and more in the sea of regulatory acronyms, our end-to-end loan origination solution creates efficiency for financial institutions.

Join this session for an overview of the platform, an interactive Q&A and information about:


This webinar is brought to you by:
OneSpan logo