On Oct. 19, the Board of Governors of the Federal Reserve System (the Board), the Office of the Comptroller of the Currency (the OCC) and the Federal Deposit Insurance Corporation (the FDIC, and collectively with the Board and the OCC, the Agencies) issued a joint advanced notice of proposed rulemaking (ANPR) inviting comment regarding enhanced cyber risk management standards for large and interconnected entities under their supervision and those entities’ service providers. As financial technology continues to advance, the largest, most complex financial institutions have relied more and more on technology to carry out their banking activities and to provide critical services to the financial sector and the U.S. economy. In the event of a cyber attack on a covered entity, the ANPR is intended to enhance the covered entity’s ability to continue to function and to reduce the overall impact on the financial system resulting from interconnectedness.
The Agencies have existing supervisory programs with general expectations for cybersecurity practices at depository institutions, their holding companies and third-party service providers. The enhanced standards that would eventually result from the ANPR would be integrated into the existing framework by establishing enhanced supervisory expectations for the entities and services that potentially pose heightened cyber risk to the safety and soundness of the financial sector. The Agencies also are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on those entities critical to the functioning of the financial sector. The ANPR is structured as a discussion of proposals that the Agencies are considering along with specific questions for which the Agencies are seeking input. Comments on the ANPR are due by Jan. 17, 2017.
Scope of Application
The Agencies are considering applying the enhanced standards enterprisewide to certain entities with total consolidated assets of $50 billion or more. The enhanced standards would apply to U.S. bank holding companies, savings and loan holding companies, and federal- and state-chartered banks and savings associations, in each case that meet or exceed the asset threshold, and U.S. operations of foreign banking organizations (with total U.S. assets of $50 billion or more). Additionally, the Agencies are considering whether to extend the enhanced standards to nonbank financial institutions supervised by the Board and designated financial market utilities and other financial market infrastructure over which the Board has primary supervisory authority because they are members of the Federal Reserve System. Furthermore, the Agencies are considering whether to apply the enhanced standards directly or via contract to third-party service providers with respect to services provided to depository institutions and their affiliates that are covered entities.
Enhanced Cyber Risk Management Standards
The enhanced standards would emphasize the need for covered entities to (1) demonstrate effective cyber risk governance; (2) continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; (3) establish and implement strategies for cyber resilience and business continuity in the event of a disruption; (4) establish protocols for secure, immutable, transferable storage of critical records; and (5) maintain continuing situational awareness of their operational status and cybersecurity posture enterprisewide. The standards would be organized into five categories: cyber risk governance; cyber risk management; internal dependency management (i.e., management of business assets upon which an entity depends to deliver services); external dependency management (i.e., management of an entity’s relationships with outside vendors, suppliers, customers, utilities and other organizations upon which an entity depends to deliver services and the interconnections of the entity and those parties); and incident response, cyber resilience and situational awareness.
Notably, as part of the external dependency management standard, the Agencies are considering a requirement that covered entities have the ability in real time to monitor all external dependencies and trusted connections enterprisewide and to prioritize them based on their criticality to the business functions they support, the firm’s mission and the financial sector. Also, as part of the incident response, cyber resilience and situational awareness standard, the Agencies could include a requirement that covered entities establish plans and mechanisms to transfer business, where feasible, to another entity or service provider with minimal disruption and within prescribed timeframes if the original covered entity or service provider is unable to perform.
Sector Critical Systems
As discussed above, the Agencies are considering establishing a two-tiered approach to implementing the enhanced standards: The general enhanced standards would apply to all systems of covered entities, and an additional, higher set of expectations, referred to as “sector-critical standards,” would apply to those systems of covered entities critical to the financial sector. As part of the sector-critical standards, the Agencies are considering requiring covered entities to establish a recovery-time objective of two hours for their sector-critical systems to recover from a cyber event. The Agencies are considering whether to include the following systems within the scope of sector-critical standards:
- systems that support the clearing or settlement of at least 5 percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity
- systems that support the clearing or settlement of at least 5 percent of the value of transactions (on a consistent basis) in other markets (e.g., exchange-traded and over-the-counter derivatives)
- systems that support the maintenance of a significant share (e.g., 5 percent) of the total U.S. deposits or balances due from other depository institutions in the United States.
Implementing the Enhanced Standards
The Agencies are considering three possible approaches to implement the enhanced standards. In particular, they could do so as a combination of regulatory requirements along with a policy statement or guidance, as regulations that impose specific cyber risk management standards or as a more detailed regulatory framework, including specific objectives and practices.