WEBVTT NOTE This file was generated by Descript 00:00:00.460 --> 00:00:02.370 Samantha: Hello, this is Samantha Shares. 00:00:02.960 --> 00:00:08.500 This episode covers the O C C's Fall 2024 Operational Risk report, focusing 00:00:08.500 --> 00:00:13.320 on cybersecurity, operational resilience, innovation, and fraud risk management. 00:00:14.073 --> 00:00:16.643 The following is an audio version of that document. 00:00:17.223 --> 00:00:20.423 This podcast is educational and is not legal advice. 00:00:20.943 --> 00:00:24.943 We are sponsored by Credit Union Exam Solutions Incorporated, whose 00:00:24.943 --> 00:00:28.013 team has over two hundred and Forty years of National Credit 00:00:28.013 --> 00:00:29.903 Union Administration experience. 00:00:30.413 --> 00:00:34.013 We assist our clients with N C U A so they save time and money. 00:00:34.483 --> 00:00:38.433 If you are worried about a recent, upcoming or in process N C U A 00:00:38.433 --> 00:00:42.763 examination, reach out to learn how they can assist at Mark Treichel DOT COM. 00:00:43.213 --> 00:00:47.573 Also check out our other podcast called With Flying Colors where we provide tips 00:00:47.573 --> 00:00:50.123 on how to achieve success with N C U A. 00:00:50.883 --> 00:00:55.813 And now the O C C's Fall 2024 Operational Risk report, focusing on 00:00:55.813 --> 00:01:00.473 cybersecurity, operational resilience, innovation, and fraud risk management. 00:01:01.194 --> 00:01:02.114 CYBERSECURITY 00:01:02.888 --> 00:01:07.248 Operational risk remains elevated as cyber threat actors continue to evolve 00:01:07.248 --> 00:01:11.258 and refine their tactics by using more advanced technology, such as A I. 00:01:11.888 --> 00:01:15.398 Simultaneously, banking services continue to engage with third 00:01:15.398 --> 00:01:19.378 parties, including fintech firms, expanding the cyberattack surface. 00:01:19.998 --> 00:01:23.138 Thus, the probability of occurrence and the potential impact of 00:01:23.138 --> 00:01:24.898 cyber incidents are increasing. 00:01:25.498 --> 00:01:28.898 This complex, interconnected operating environment amplifies 00:01:28.898 --> 00:01:32.618 the importance of third-party risk management, change management, and 00:01:32.618 --> 00:01:34.518 operational resilience measures. 00:01:35.237 --> 00:01:39.287 A financial entity's exposure to cyber threats and operational disruptions 00:01:39.287 --> 00:01:41.047 extends beyond its own network. 00:01:41.677 --> 00:01:45.127 Threat actors are increasingly targeting vulnerabilities and deficient 00:01:45.127 --> 00:01:49.167 security practices at financial service providers and their third parties. 00:01:49.757 --> 00:01:54.167 The O C C continues to see compromised systems involving the exploitation 00:01:54.167 --> 00:01:57.777 of publicly known vulnerabilities on internet-accessible networks. 00:01:58.427 --> 00:02:01.617 This underscores the need for banks to maintain an inventory of 00:02:01.617 --> 00:02:05.647 assets and external connections and remediate vulnerabilities promptly. 00:02:06.376 --> 00:02:09.916 It is important that banks maintain effective change management and 00:02:09.916 --> 00:02:13.856 third-party risk management, including ensuring that third parties throughout 00:02:13.856 --> 00:02:18.286 the bank's information technology supply chain are adhering to secure software 00:02:18.286 --> 00:02:22.416 development standards to reduce the risk of disruptions or compromises. 00:02:22.926 --> 00:02:27.066 Additionally, it is critical that banks and their service providers have effective 00:02:27.066 --> 00:02:31.596 threat and vulnerability monitoring processes and security measures, including 00:02:31.596 --> 00:02:36.616 the use of multi-factor authentication (M F A), hardening of systems configurations, 00:02:36.776 --> 00:02:40.736 testing software updates before implementation, phased rollouts of 00:02:40.736 --> 00:02:45.586 software updates, timely vulnerability patch management, and immutable backups. 00:02:46.270 --> 00:02:50.150 The O C C continues to monitor the progress toward quantum computing 00:02:50.150 --> 00:02:54.150 capabilities and the associated risks to general encryption techniques. 00:02:54.770 --> 00:02:59.440 On August 13, 2024, the National Institute of Standards and Technology 00:02:59.520 --> 00:03:04.260 (N I S T) finalized its principal set of encryption standards designed to withstand 00:03:04.260 --> 00:03:06.320 cyberattacks from a quantum computer. 00:03:06.990 --> 00:03:10.110 The new standards are designed for general encryption and digital 00:03:10.110 --> 00:03:14.220 signatures, which are critical to protect information and authentication. 00:03:14.730 --> 00:03:18.080 The process for transitioning to these new post-quantum computing 00:03:18.080 --> 00:03:22.040 (P Q C) standards will likely take years to fully test and implement. 00:03:22.600 --> 00:03:25.760 Banks are encouraged to conduct inventories of where encryption is 00:03:25.760 --> 00:03:29.370 used within their operations and work with third parties to assess their 00:03:29.370 --> 00:03:34.240 P Q C transition plans to ensure long-term security and interoperability. 00:03:34.690 --> 00:03:38.070 Institutions that develop their own software are also encouraged 00:03:38.070 --> 00:03:39.850 to begin the migration process. 00:03:40.598 --> 00:03:42.028 OPERATIONAL RESILIENCE 00:03:42.721 --> 00:03:46.501 An effective operational resilience strategy can enhance a bank's ability 00:03:46.501 --> 00:03:51.041 to mitigate disruption events, including cyber incidents, disruptions at third 00:03:51.041 --> 00:03:55.801 parties, change management issues, and other technology or operational outages. 00:03:56.341 --> 00:04:00.831 Operational resilience was highlighted in mid-2024 when a flawed software 00:04:00.831 --> 00:04:04.781 update at a large cybersecurity firm and weaknesses in change management 00:04:04.781 --> 00:04:08.881 programs caused global operating disruptions, shutting down systems 00:04:08.881 --> 00:04:11.501 across many sectors, including financial. 00:04:12.021 --> 00:04:15.871 Testing and validating operational resilience plans are appropriate to 00:04:15.871 --> 00:04:18.191 enable banks to respond to disruptions. 00:04:18.691 --> 00:04:22.731 Clear expectations should be in place for testing and certifying that a cyber 00:04:22.731 --> 00:04:26.831 event or other disruption at a third party has been effectively remediated. 00:04:27.301 --> 00:04:30.481 Validation and confidence are critical before reconnecting 00:04:30.481 --> 00:04:34.111 that third party's systems to appropriately mitigate contagion risk. 00:04:34.836 --> 00:04:37.756 INNOVATION AND ADOPTION OF NEW PRODUCTS AND SERVICES 00:04:38.487 --> 00:04:42.827 Banks continue to adopt new technology and innovative products and services to 00:04:42.827 --> 00:04:46.997 further their digitization efforts and meet evolving customer expectations. 00:04:47.517 --> 00:04:51.847 Banks' incorporation of new technologies, including cloud computing and engaging 00:04:51.847 --> 00:04:56.857 with fintechs, may help banks of all sizes gain efficiencies and provide products and 00:04:56.857 --> 00:05:01.827 services to customers, often at lower cost and with enhanced customer experience. 00:05:02.307 --> 00:05:06.477 In addition to benefits, new technology and innovative products and services 00:05:06.477 --> 00:05:10.277 may increase the complexity of banks' operating environments, pose new 00:05:10.277 --> 00:05:12.697 risks, or exacerbate existing risks. 00:05:13.237 --> 00:05:17.317 Banks' increasingly complex relationships with fintech firms may increase the 00:05:17.317 --> 00:05:22.097 complexity of the operating environment and expose banks to a wider range of risks 00:05:22.137 --> 00:05:24.277 than traditional third-party arrangements. 00:05:24.943 --> 00:05:29.313 Effectively adopting new and modified products and services includes appropriate 00:05:29.313 --> 00:05:33.793 due diligence, enterprise change management, and risk management processes 00:05:33.793 --> 00:05:37.873 when considering changes to products, services, and operating environments. 00:05:38.383 --> 00:05:41.823 Assurance functions, such as audits, should be considered as part of 00:05:41.823 --> 00:05:45.613 planning, implementation, and ongoing monitoring of operational 00:05:45.613 --> 00:05:47.663 changes or increased complexity. 00:05:48.425 --> 00:05:51.375 Banks generally have approached A I adoption cautiously. 00:05:51.885 --> 00:05:55.775 Although A I and machine learning (M L) have been around for years in banking, 00:05:55.995 --> 00:05:59.945 new capabilities such as those arising from generative A I can present greater 00:05:59.945 --> 00:06:01.955 compliance and operational risks. 00:06:02.615 --> 00:06:06.735 Training large language models requires effective data quality governance. 00:06:07.358 --> 00:06:10.988 Many banks and service providers face challenges with maintaining 00:06:10.988 --> 00:06:14.708 legacy technology architectures while responding to these and other 00:06:14.708 --> 00:06:16.588 increasing digitization demands. 00:06:17.118 --> 00:06:20.838 It is important for banks to maintain an effective technology architecture 00:06:20.838 --> 00:06:24.998 strategy, commensurate with the size and complexity of products, services, 00:06:25.058 --> 00:06:26.728 and operations being supported. 00:06:27.348 --> 00:06:31.408 Technology strategies should include processes for managing and mitigating 00:06:31.408 --> 00:06:34.748 risks from technology assets that have reached their end of life. 00:06:35.504 --> 00:06:40.004 Banks considering or engaging in custody services for digital assets (including 00:06:40.004 --> 00:06:44.354 cryptocurrencies), holding stablecoin reserves, or participating in distributed 00:06:44.354 --> 00:06:48.354 ledger transaction verification should establish and maintain prudent, 00:06:48.444 --> 00:06:50.584 effective risk management practices. 00:06:51.044 --> 00:06:54.204 Some assets may present unique operational risks. 00:06:54.869 --> 00:06:58.719 Banks are reminded to follow O C C processes before engaging in 00:06:58.719 --> 00:07:02.799 certain cryptocurrency, stablecoin, and distributed ledger activities. 00:07:03.550 --> 00:07:04.870 FRAUD RISK MANAGEMENT 00:07:05.618 --> 00:07:09.518 As fraud targeting banks and their customers continues to increase, it 00:07:09.518 --> 00:07:12.898 is important for fraud risk management approaches to keep pace with a 00:07:12.898 --> 00:07:15.118 bank's evolving fraud risk profile. 00:07:15.778 --> 00:07:19.188 Effective fraud risk management includes reporting risk to senior 00:07:19.188 --> 00:07:22.618 management and the board on a timely, comprehensive basis. 00:07:23.168 --> 00:07:26.568 Additional considerations include confirming that control systems 00:07:26.568 --> 00:07:30.678 encompass both preventative controls to deter fraud and detective controls 00:07:30.678 --> 00:07:34.788 to identify and respond to fraud in a timely manner once it has occurred. 00:07:35.208 --> 00:07:38.778 Results of ongoing control testing should inform the redesign of 00:07:38.778 --> 00:07:43.008 existing controls, the implementation of new controls, and the addition 00:07:43.008 --> 00:07:44.958 of qualified staff, as needed. 00:07:45.709 --> 00:07:49.269 Effective customer identification and verification processes at 00:07:49.269 --> 00:07:52.399 account opening and appropriate monitoring throughout a customer's 00:07:52.399 --> 00:07:54.159 banking relationship are critical. 00:07:54.729 --> 00:07:59.159 Confirming wire instructions, verifying identity, and effective authentication 00:07:59.159 --> 00:08:03.969 controls are critical to preventing scams that are perpetuated using wire transfers. 00:08:04.589 --> 00:08:07.939 Verifying the accuracy of the transaction has caught and thwarted 00:08:07.939 --> 00:08:10.049 efforts to wire funds to fraudsters. 00:08:10.459 --> 00:08:14.389 Similarly, alerts and other messages introducing small frictions in 00:08:14.389 --> 00:08:18.489 P2P and other transactions could help consumers pause before making 00:08:18.489 --> 00:08:20.199 a payment to an unknown party. 00:08:20.709 --> 00:08:25.049 Identifying S A Rs on fraudulent activity in a timely manner remain important 00:08:25.049 --> 00:08:27.159 to protect both banks and consumers. 00:08:27.699 --> 00:08:32.389 Technology can help to flag suspicious activity, support prudent authentication, 00:08:32.559 --> 00:08:36.609 and block suspicious transactions until further authentication has occurred. 00:08:37.434 --> 00:08:38.824 THIRD-PARTY RISK MANAGEMENT 00:08:39.638 --> 00:08:43.208 Banks should guard against complacency and ensure that fundamental risk 00:08:43.208 --> 00:08:47.678 management practices, including third-party risk management, remain sound. 00:08:48.198 --> 00:08:51.528 Technological advances have continued the increasing trend of banks 00:08:51.528 --> 00:08:55.328 and trust companies outsourcing operations and entering relationships 00:08:55.328 --> 00:08:58.618 with third parties to deliver financial products and services. 00:08:59.138 --> 00:09:02.448 Effective management and oversight of third-party relationships 00:09:02.448 --> 00:09:05.728 are essential and generally follow a continuous life cycle. 00:09:06.308 --> 00:09:09.788 Third-party risk management processes should be commensurate with the bank's 00:09:09.788 --> 00:09:14.228 size, complexity, and risk profile, and the criticality of activities 00:09:14.228 --> 00:09:15.538 supported by the third-party. 00:09:15.538 --> 00:09:20.378 A third-party relationship may expand or grow throughout the banking relationship. 00:09:21.008 --> 00:09:24.628 Ongoing monitoring activities should remain commensurate with the changes 00:09:24.628 --> 00:09:28.338 in the level and type of risk and any expanded use of services. 00:09:28.908 --> 00:09:31.268 Banks should consider interagency guidance. 00:09:31.922 --> 00:09:36.212 If your Credit union could use assistance with your exam, reach out to Mark Treichel 00:09:36.212 --> 00:09:38.832 on LinkedIn, or at mark Treichel dot com. 00:09:39.392 --> 00:09:41.982 This is Samantha Shares and we Thank you for listening.