The Fed should do more to oversee financial sector cyber

Cyberattack, financial services 

The Federal Reserve could be doing more to protect the nation's financial industries in the face of cyber peril. So says a new report from the Fed's Office of Inspector General, which spelled out a range of measures that are needed to help defend private sector financial institutions against mounting cybersecurity risks.

The report called for tighter security procedures surrounding multi-regional data processing service firms, which provide technology services to the financial industry. These firms may process mission-critical applications for multiple institutions in diverse locations across the country, and are thus considered a vulnerable point.

The Fed's Financial Stability Oversight Council has highlighted cybersecurity risks as a major concern in annual reports to Congress for five years running, and that concern isn't going away. As digital threats evolve, regulators should be preparing to counter "significant cybersecurity attacks," the OIG warned.

The OIG recommended improving oversight of MDPS firms through enhanced governance structures. In addition, efforts should be made to ensure that regulators working in intelligence and incident management have a better understanding of the technologies these firms use.

The report also highlights the need for greater continuity in cyber operations, identifying opportunities to improve recruiting, retention, tracking, and succession planning for cybersecurity resources.

The OIG found systemic reasons for weak cyber practice. Take the rule that financial institutions notify regulators of new vendor relationships within 30 days, for instance. With the rise of new financial tools such as digital payment services, it's become difficult to tell the difference between a "product" and a "service." That leaves the reporting requirement vague at times, and opens the door to cyber vulnerabilities.

Overall, the OIG found the Fed's Division of Supervision and Regulation is lacking a sufficient framework to address cyber concerns in MDPS firms and technology service providers. These entities have grown significantly in recent years, processing billions of transactions annually, and yet the Fed has not developed an oversight structure that recognizes their size and importance in the financial system.

The OIG urged regulators to further evaluate their governance options; to provide clearer guidance to examination teams; and to develop better processes for documenting technology systems in use.

In a response to the report, the Fed's Board of Governors acknowledged the need for enhanced cyber practices and states that many of these improvements are under way, including the "implementation of two high-priority initiatives" – putting a new cybersecurity strategy into place and assessing the current state of IT supervision.

About the Author

Adam Stone is a freelance writer specializing in government, technology, military and business affairs. His work has appeared in USA Today, Military Times, Government Technology and other publications.


  • FCW Perspectives
    remote workers (elenabsl/Shutterstock.com)

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

Stay Connected