Nearly half of all MRAs issued are for operational risk, driven by technology risks1. In its most recent semi-annual risk assessment, the OCC stated that operational risk is elevated. The FDIC and the Fed have also expressed similar concerns about technology and cyber risks in their risk publications.
Third-party vendors can provide more capabilities and increased event correlation to reduce cyber security threats and achieve better results for client institutions. However, not all vendors are the same, especially when a vendor outsources significant activities and lacks internal controls and regulatory oversight.
Relatedly, the Justice Department recently announced that 300 U.S. companies unknowingly hired foreign nationals with ties to North Korea for remote IT work2. The announcement revealed details on what officials have framed as a shadow workforce of thousands of North Korean IT workers in low-level positions worldwide.
Action Item: Ask your key partners if they outsource support or hosting functions to other parties.
Shadow AI, including tools such as ChatGPT, may be used by your employees on their own and even surreptitiously3. Remote work compounds the opportunity for employees to use their own AI tools - “Shadow AI” - while reducing corporate visibility and oversight. Employees are mainly drawn to deploy their AI tools because they can hand off chunks of taxing work to these invisible assistants. This use of AI could disclose confidential financial institutions and customer data to AI tools, creating disclosure and reputational risks.
Action Item: Ask your staff if they are using AI tools such as ChatGPT and, if so, how they are using those tools. Review what you find with your board and decide what level of risk your financial institution is comfortable accepting with AI use.
Bonus Action Item: Ask your vendors how they use AI, document what you find, and review it with your board.
Cyberattacks have more than doubled since the pandemic4. As shown in a chapter of the April 2024 Global Financial Stability Report, the risk of extreme loss from cyber incidents is increasing. Such losses could potentially cause companies to have funding problems and even jeopardize their solvency. These extreme losses have more than quadrupled since 2017 to $2.5 billion. Indirect losses such as reputational damage or security upgrades are substantially higher.
General Timothy Haugh, the U.S. military’s new cyber chief and the head of the nation’s main electronic spy agency believes Chinese hackers are ‘prepositioning’ in critical infrastructure networks5. Haugh elaborated that the hackers are not currently extracting data but simply sitting in the networks. Officials are concerned that in a future conflict, Chinese hackers could very rapidly deploy damaging cyberattacks against key pieces of infrastructure in America or allied countries with devastating impact. As a reminder, the U.S. government considers financial institutions and their networks critical infrastructure.
Criminals are using technology such as generative AI to launch attacks that have historically been the preserve of well-funded, sophisticated threat groups backed by nation-states, said Cynthia Kaiser, a deputy assistant director in the FBI’s cyber division. A beginner cyber-attacker can get to an intermediate level using AI, and the most advanced adversaries are becoming more efficient using AI.
The average ransomware payment has increased over 500% in the last year, a dramatic and alarming rise6. This shocking surge is a testament to the increasing sophistication of cyberattacks and the significant vulnerabilities inherent in many platforms. AI has also enabled cybercriminals to craft remarkably convincing phishing attacks, making them nearly undetectable to even well-trained users.
AI is used for defensive purposes as well. As part of a community, financial institutions can join together to gain greater security and better outcomes not just by sharing information about threats but rather by incorporating real-time response and threat mitigation to achieve better outcomes.
Financial Institutions were in the top five industries with the highest percentage of cyber policy claims7. It has caused carriers to tighten underwriting standards, increase premiums, and require more cybersecurity controls on technology networks. Insureds sometimes misunderstand their obligations, leading to disagreements about coverage after an event occurs. Insurers told Congress that they need the flexibility to determine what they will and will not cover under cyber policies, and have become more selective in the clients and industries that they take on.
Are you a bank CEO or board member with questions about technology at your institution? Contact us at solutions@bankonitusa.com or 405-653-1920.
1 Office of the Comptroller of the Currency, June 18, 2024
2 Wall Street Journal, May 16, 2024
3 The Financial Brand, May 22, 2024
4 International Monetary Fund, April 9, 2024
5 Wall Street Journal, June 3, 2024
6 The Hacker News, July 2, 2024
7 Wall Street Journal, June 28, 2024