Ahead of the 6th Annual Risk Americas Convention Robert Phelps, Acting Director, Critical Infrastructure at the OCC provides insights in to the ERM and Operational Risk panel discussion which reviews the cyber threat in an innovative and technological environment. He will be accompanied by Fred Shane, CRO, Commonwealth Financial Network, Richard Van Horn, VP, IT Risk, Data Protection, JP Morgan Chase, Brad Mirkin, Former FINRA.
- Robert, can you tell the Center for Financial Professionals about your experience in the industry?
I am approaching my 24th year as a Bank Examiner with the Comptroller of the Currency. My current role is the Director for Critical Infrastructure Policy where I oversee Policy related matters relative to industry guidance and policy, including the Cyber Security Assessment Tool (CAT). Prior to this role, I served as an Assistant Deputy Comptroller in our Midsize supervision program where I oversaw all supervisory efforts for 7 regional banks totaling over $200B in assets. I also have 28+ years of military services as an Intelligence Officer performing various roles in various campaigns.
- How have technological advances had an impact on the cyber threats which financial institutions are facing?
The challenge many banks face is the pace of change and deciding what will give them the biggest bang for the dollar spent. This includes infrastructure spending (i.e. keeping the lights on adding new features to gain and maintain customers) to maintain systems. Some have even decided that to reduce cost and security exposures they need to simplify their environment either through consolidation or outsourcing. Obviously the speed of changing nature of cyber threats poses a challenge for boards to comprehend and determine how much security is enough, because unlimited spending is not an option.
- Can you provide some examples of how companies can protect themselves from cyber threats?
What we are finding from our CAT results is that basic blocking and tackling continues to be the biggest challenge. This is also where banks tend to expose themselves and experience breaches. Things like authentication, hardening, patching, user awareness. Banks tend to think they need to protect against nuclear war, when in reality they need to defend against large operational and tactical risks (i.e. payment systems, PII, financial data, fraud, and good resiliency).
- Without giving too much away, what are some basic tools that FI’s can adopt to better improve their incident response and disaster recovery?
Know what you must recover and when. Seems simple but a good BIA can help determine the key components of the enterprise that must be sustained in order to be a going concern. We are focusing on resilience in being able to operate in a degraded, denied, or destroyed state.
- How do you see the role of operational risk evolving over the next 6-12 months?
Operational risk is gaining more mainstream acceptance due to cyber risk issues and the complexity of operations continue. Banks are seeking ways to reduce risk and at the same time reducing costs, which requires a sound assessment of the operational environment. Risk measurement in this area continues to be a challenge, but hopefully we will see continued maturity in this area.