Sen. Elizabeth Warren (D-Mass.) didn’t seem to be getting the answers she wanted from regulators during a Wednesday hearing on financial sector cybersecurity.
Warren, who rode into Congress largely on her fierce criticism of Wall Street, wanted to know how banks are held accountable for poor cybersecurity and how the government oversees the security of financial firms’ third-party vendors.
During a Senate Banking Committee hearing, Warren pressed officials from the Treasury Department and the Office of the Comptroller of the Currency (OCC) for information, but didn’t appear satisfied.
The OCC, as part of its safety and soundness assessments, ranks banks on the systemic risks they face. Warren wanted to know what role cybersecurity played in that ranking.
“The question I was asking is whether or not you take [cybersecurity] into account in ranking the institutions,” Warren said, cutting off Valerie Abend, OCC senior critical infrastructure officer.
Abend explained the OCC analyzes the overall risk profile of each institution and will assign on-site information technology examiners based on that risk.
“We do see cybersecurity as a safety and soundness issue and we do look at the risk profile of those institutions,” Abend said.
“And you put it into the ranking?” Warren asked.
“I’m not the expert who conducts that part of the ranking,” Abend conceded.
“I’d really like to know that the OCC is using [cybersecurity] as part of its raking,” Warren replied.
Comptroller of the Currency Thomas Curry did recently put the financial industry on notice, warning banks the OCC would be conducting spot cybersecurity examinations.
“Not only do financial institutions need to have good controls over their own systems, they need to monitor carefully the ways in which they connect to vendors,” he said in November.
Vendor cybersecurity was another issue Warren hit on Wednesday.
She asked Brian Peretti, who directs the Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy, how Treasury monitors “other entities along the chain.”
“What Treasury has been doing is communicating with financial firms to be able to highlight this risk within the system to be able to make sure they’re paying attention,” Peretti said.
“I’m sorry, so your monitoring of the chain is limited to telling the financial institutions to take a look at the chain?” Warren asked.
“What I think I’m hearing you say is that you’re just telling the financial institutions to be sure to monitor,” she added later.
“Treasury’s not a financial regulator,” Peretti explained. The department provides information to other federal and state financial regulators. Treasury has signaled that regulators should include the third-party vendor security risk in their financial firm examinations, Peretti said.
Hackers got in through a third-party vendor to hack the payment card data of 40 million Target customers last year.