PYMNTS Intelligence Banner June 2024

OCC: Banks Unprepared for Cyberattacks and Other Risks

A U.S. banking regulator has reportedly determined that many lenders aren’t prepared for risks.

As Bloomberg News reported Sunday (July 21), a confidential assessment by the Office of the Comptroller of the Currency (OCC) said 11 of the 22 large banks it oversees have “insufficient” or “weak” management of so-called operational risk, whether that means  cyberattacks or mistakes by employees.

The report, citing sources familiar with the matter, said this determination led the OCC to rate the banks at three or lower on a five-point management scale, a sign that U.S. regulators are worried about banking risks after three high-profile failures in 2023.

The OCC’s operational risk assessments are part of a larger scoring metric known as the CAMELS rating, which stands for six measures of operations: capital adequacy, asset quality, management, earnings, liquidity and sensitivity to market risk. 

As noted here last year, the “downgrading of banks’ CAMELS rating can have far-reaching implications. … It affects banks’ deposit insurance premiums, audits and their ability to engage in certain activities. Downgraded lenders may be barred from making deals and denied emergency liquidity from the Federal Reserve.” 

The report comes amid a period of heightened concern over cybersecurity, exacerbated last week by what has been described as “the worst IT outage in history,” in which a single software update issued by security firm CrowdStrike inadvertently crippled Microsoft’s systems, impacting the computer systems of more than half of all Fortune 500 companies.

Days earlier, an hourslong outage at Swift affected the Bank of England and the European Central Bank, disrupting high-value transactions across Europe, with the European Central Bank reporting that its settlements system was affected.

“As the dust settles, the focus worldwide is shifting towards learning from these incidents and strengthening the resilience of global IT infrastructure to withstand future challenges,” PYMNTS wrote last week. “At the same time, businesses and organizations are reassessing their reliance on centralized cloud services and considering diversifying their IT infrastructure to mitigate the risk of similar disruptions.”

That’s to say nothing of the recent wave of intentional hacks by cybercriminals, a situation that — as PYMNTS wrote recently — spotlights a need for a shift “from a purely preventive approach” to one that balances prevention with robust response and recovery. 

“It is essentially an adversarial game; criminals are out to make money, and the [business] community needs to curtail that activity. What’s different now is that both sides are armed with some really impressive technology,” Michael Shearer, chief solutions officer at Hawk AI, said in an interview with PYMNTS.