The Office of the Comptroller of the Currency recently issuedits Semiannual Risk Perspective for Spring 2017, identifying areaswhere technology is increasing the strategic and operational risks the financialindustry faces.

Increased competition from fintech firms and consumer demand fornew products have increased the strategic risks banks and creditunions face, according to the report.

For example, alternative payments tools that are lesstransparent increase the risk of money laundering schemes goingundetected. In addition to having to address compliance risksassociated with new technology, some financial organizations arestruggling just to keep up with the technology.

“Risks related to changes in technologies and typologies areoften cumulative, requiring banks to enhance processes to addressthese risks while maintaining existing controls,” according to thereport.

OCC also named cybersecurity as a key risk for banks of allsizes. “Cybersecurity and fraud continue to pose risk from theincreasing volume and sophistication of cyber threats and ITvulnerabilities,” the report said of large banks, while noting thatit's increasingly important for midsize and community banks todevelop “cyber resiliency” as malware and extortionschemes become more complex and these banks are more likely torely on third parties for cyber protection.

In fact, OCC warned that more banks are outsourcing theircybersecurity function to a small number of providers. Risk isgetting more concentrated, especially around specialized functionslike card processing or denial-of-service mitigation, creating“concentrated points of failure for certain lines of business oroperational functions for a large segment of the bankingindustry.”

The speed at which cyber incidents occur, as well as theirsophistication, are increasing, according to the report.Furthermore, cybercriminals are more willing to act aggressivelywith the information they extract.

The cybercriminals themselves are changing their business modelas hackers start selling ransomware as a service, the reportnoted.

Phishing is the primary means of access for hackers, the reportfound, though ransomware and denial-of-service attacks are alsoamong the threats banks and credit unions face.

“Effective risk management promotes timely detection, responseand escalation of operational issues to reduce customer impact dueto product failures, possible fraud and potential unfair ordeceptive acts or practices,” Keith Noreika, acting comptroller,said in remarks published with the report.

The report stressed the role of culture in combating thisthreat. “Sophisticated cyber threats continue to pose high inherentrisks to an interconnected financial services marketplace. Boardsand management play a critical role in establishing a sound cultureand implementing effective resiliency practices,” according toOCC.

A report from Kaspersky Lab and B2B International found thathalf of IT security incidents are caused by employees within afirm, and 40% of employees hide their role in an incident for fearof retribution.

OCC recommended updating software and hardware frequently tostay on top of evolving cyber threats, and using strongauthentication protocols as “part of a layered security approach.”OCC noted, “A sound systems development life cycle includingregular maintenance is essential to protecting against theseweaknesses.”

Brian Clark, CEO of Ascent Technologies,expressed concern that OCC appears to be analyzing firms' strategicrisks rather than setting “clear rules that banks and institutionscan follow.”

“What they've essentially done is create a standard of strictliability. That's a legal term [that means] regardless of theoutcome, you are liable,” Clark said. “Whether or not that is theright standard, it is concerning because it establishes thepotential boundary through an administrative process rather than alegislative process.”

He added that while OCC “should be aware of capital risk,liquidity risk and prudential style overview — that's theirpurpose … starting to push into strategic implications of the firmis the purview of the business.”

Clark recommended banks and credit unions make sure theyunderstand the capabilities and shortcomings of the technology theyuse. “No technology will solve every single one of your problems.Some will solve more than others. But really understanding whatyou're implementing is key.”

It's also important for banks to understand where data is comingfrom and where their technology integrates with their providers'.“I'm sure there are cybersecurity services out there that will helpanalyze these touchpoints, but even more than that, understandingthe data you are utilizing in your analysis and where it comesfrom, and how that integrates with third-party algorithms orservices offered and their data, is going to be key,” Clarksaid.