In January 2014, the Office of the Comptroller of the Currency (OCC), together with the other federal banking agencies, proposed formal guidelines for heightened expectations for large banks. The OCC’s proposed guidelines would require that large banks, among other things, design and implement a risk governance framework for front line units, independent risk management, and internal audit departments. In a speech on May 7, 2014, before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference, Comptroller of the Currency Thomas J. Curry highlighted the importance of data privacy and cybersecurity programs by large banks.
The Comptroller noted the recent increase in volume and sophistication of attacks on banks and his focus on this particular type of operational risk. Given that many of the losses banks have sustained in the last several years were attributable not to loans they made, but rather to lapses in operational risk, banks should view operational risk issues in terms of their impact on the entire enterprise, and not merely as – to use cybersecurity an example – an IT issue. Comptroller Curry closed his speech by stating that mitigating data privacy and cybersecurity risks require a fully integrated and comprehensive approach – which is exactly what the OCC’s heightened expectations are intended to achieve.
Click here to view the full text of Comptroller Curry’s speech.