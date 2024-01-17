Michael Barr, the Federal Reserve's vice chair for supervision, has voiced concerns over the inadequacies in banks' management of third-party cyber risk. In a recent conference, he underscored the escalating threats of ransomware and vulnerabilities inherent in the growing dependency on third-party service providers. Barr emphasized the urgency for banks to bolster their cyber defenses and resilience strategies.

Rising Threats and Gaps in Defense

While banks bear the onus of managing their third-party risk, Barr pointed out historical gaps in these efforts. The increasing interconnectivity of our financial systems and advancing technology make cyber threats more disruptive than ever. The growing reliance on third-party service providers also poses a significant cyber risk. He emphasized the importance of not just improving defense mechanisms, but also resilience, by developing and regularly testing business continuity plans to manage successful cyber-attacks.

The Quantification Challenge

Barr also touched upon the challenges associated with quantifying cyber risk. The lack of comprehensive data and the nascent stage of current techniques present significant obstacles. To bridge this gap, a new law requiring banks to report specific cybersecurity incidents to the federal government within 72 hours is anticipated to facilitate better data collection. This reporting is expected to assist the Cybersecurity and Infrastructure Security Administration in producing threat reports and providing early warnings.

The Interconnectedness Factor

Understanding the interconnectedness of financial companies and service providers will aid in assessing the impact of cyber incidents on the financial system, Barr suggested. This knowledge will be instrumental in improving risk quantification. Amid these concerns, the Federal Reserve has proposed a substantial raise in capital requirements for banks, particularly associated with operational risk. However, this proposal has met with resistance from bankers, who argue it to be unnecessary and excessively punitive.

The Federal Reserve Board and the Federal Deposit Insurance Corporation have announced an extension for certain large financial institutions to submit their resolution plans, or 'living wills,' until March 31, 2025. The extension is being provided to allow reasonable time for the proposed guidance on resolution plans to be incorporated in the submissions.

In the face of these challenges, Barr's call to action serves as a stark reminder of the need for banks to bolster their cyber defenses and improve their resilience strategies. As the threats of ransomware and third-party risks grow, it becomes increasingly crucial for banks to manage these risks effectively and ensure the stability of our financial systems.