The Fed should do more to oversee financial sector cyber

The Federal Reserve could be doing more to protect the nation's financial industries in the face of cyber peril. So says a new report from the Fed's Office of Inspector General, which spelled out a range of measures that are needed to help defend private sector financial institutions against mounting cybersecurity risks.

The report called for tighter security procedures surrounding multi-regional data processing service firms, which provide technology services to the financial industry. These firms may process mission-critical applications for multiple institutions in diverse locations across the country, and are thus considered a vulnerable point.

The Fed's Financial Stability Oversight Council has highlighted cybersecurity risks as a major concern in annual reports to Congress for five years running, and that concern isn't going away. As digital threats evolve, regulators should be preparing to counter "significant cybersecurity attacks," the OIG warned.

The OIG recommended improving oversight of MDPS firms through enhanced governance structures. In addition, efforts should be made to ensure that regulators working in intelligence and incident management have a better understanding of the technologies these firms use.

The report also highlights the need for greater continuity in cyber operations, identifying opportunities to improve recruiting, retention, tracking, and succession planning for cybersecurity resources.

The OIG found systemic reasons for weak cyber practice. Take the rule that financial institutions notify regulators of new vendor relationships within 30 days, for instance. With the rise of new financial tools such as digital payment services, it's become difficult to tell the difference between a "product" and a "service." That leaves the reporting requirement vague at times, and opens the door to cyber vulnerabilities.

Overall, the OIG found the Fed's Division of Supervision and Regulation is lacking a sufficient framework to address cyber concerns in MDPS firms and technology service providers. These entities have grown significantly in recent years, processing billions of transactions annually, and yet the Fed has not developed an oversight structure that recognizes their size and importance in the financial system.

The OIG urged regulators to further evaluate their governance options; to provide clearer guidance to examination teams; and to develop better processes for documenting technology systems in use.

In a response to the report, the Fed's Board of Governors acknowledged the need for enhanced cyber practices and states that many of these improvements are under way, including the "implementation of two high-priority initiatives" – putting a new cybersecurity strategy into place and assessing the current state of IT supervision.