Federal regulators in the financial services sector have become the latest among the growing field of cybersecurity risk management watchdogs. On Oct. 19, 2016 the Board of Governors of the Federal Reserve System (Federal Reserve), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) (collectively the “Agencies”) released a joint Advance Notice of Proposed Rulemaking (ANPR)1 requesting public comment on enhanced cybersecurity standards that would apply to certain large, interconnected financial entities (collectively the “Covered Entities”)2 and to third-party service providers with respect to services provided to depository institutions and their affiliates that are covered entities (covered services).

The enhanced cybersecurity standards being considered by the Agencies, if implemented in the form described in the ANPR, could require significant new efforts by those in key leadership roles within the Covered Entities to both implement compliant processes and manage these processes on an ongoing basis. Some of the critical leadership roles and business units that will be impacted include i) Members of the Board of Directors; ii) the Office of General Counsel; iii) Risk Management; iv) Internal Audit; v) the Chief Privacy Officer, Chief Information Security Officer and the Chief Technology Officer.

The purpose of this Alert is to summarize the key requirements described in the ANPR and to highlight some of the critical questions which the Agencies invited the Covered Entities to evaluate.

Highlight of Requirements

Enhanced Cybersecurity Risk Management Standards

The ANPR defines the cybersecurity risk management standards that will apply to the Covered Entities in the following areas:

1. Cyber Risk Governance

The cyber risk governance standards would address how a Covered Entity develops and maintains its cyber risk management strategy, as well as the enterprise-wide distribution of responsibility within the entity for approving and implementing the strategy and overseeing its execution. The standards would extend to cybersecurity those governance standards that already apply to other business operations of large, complex financial organizations already are expected to employ, as required by the OCC.

Standards in this area would include:

  • Development of a written, board-approved, enterprise-wide cyber risk management strategy that is incorporated into the overall business strategy and risk management of the firm;

  • Establishment of board-approved cyber risk tolerances consistent with the firm’s risk appetite and strategy and management of cyber risk appropriate to the firm’s operations; and,

  • Requirement for the board of directors to have adequate cybersecurity expertise or to maintain access to resources or staff with such expertise.

2. Cyber Risk Management

In this area, the enhanced standards would require, to the greatest extent possible and consistent with organizational structure, Covered Entities to integrate cyber risk management into three independent functions:

  1. Business units – Assessment of major cyber risks associated with business activities of business units would need to be conducted on a regular basis with any threats being reported to senior management, including the CEO, as appropriate, in a timely manner so that senior management can address and respond to emerging cyber risks and cyber incidents as they develop.

  2. Independent risk management – Enterprise-wide cyber risk management would need to be incorporated into an independent risk management function that would report up through the Chief Executive Officer and the Board of Directors, as appropriate, when its assessment of a particular cyber risk differs from that of a business unit, as well as of any instances when a unit of the covered entity has exceeded the entity's established cyber risk tolerances.

  3. Audit – Audit would be required to incorporate an assessment of the effectiveness of the entire cybersecurity risk management strategy and framework into its overall audit plan. Further, the audit function would be required to assess the cyber risk management framework for compliance with applicable laws and regulations, and to ensure the framework is appropriate for the size, complexity, interconnectedness, and risk profile of the firm.

3. Internal Dependency Management

The business assets (e.g., workforce, data, technology, and facilities) upon which a Covered Entity depends to accomplish its business objectives and the information flows and connection points between them are the ‘internal dependency’ to which the standards will apply.

4. External Dependency Management

The Covered Entities relationships with external organizations (e.g., vendors, suppliers, customers and utilities) that are essential to services provided constitute the ‘external dependency’ to which the enhanced security standards will apply.

5. Incident Response, cyber resilience and situational awareness

Covered Entities would be required to plan for, respond to, contain, and rapidly recover from disruptions caused by cyber incidents, thereby strengthening their cyber resilience as well as that of the financial sector.

Standards in this area would include:

  • Establishment and maintenance of effective incident response and cyber resilience governance, strategies, and capacities in order to withstand, contain, and rapidly recover from a disruption caused by a significant cyber event.

Sector-Critical Systems

The Agencies have announced that even more stringent standards could be required for sector-critical systems. Minimizing sector-critical cyber risks means substantially mitigating the risk of a disruption or failure due to a cyber-event.

The more stringent standards applicable to sector-critical systems could include:

  • Minimization of the residual cyber risk by implementing the most effective, commercially available controls to substantially mitigate the risk of a disruption or failure due to a cyber-event.

  • Establishment of a Recovery Time Objective(i.e., amount of time in which a Covered Entity aims to recover clearing and settlement activities after a wide-scale disruption with the overall goal of completing material pending transactions on the scheduled settlement date) of two hours for sector-critical systems.

  • Requirement for Federal Reserve-supervised Covered Entities, at the holding company level, to measure quantitatively their ability to reduce the aggregate residual cyber risk of a sector-critical system and to reduce such risk to a minimal level.

Critical Questions for Public Comment

  • How would a Covered Entity determine that it is managing cyber risk consistent with its stated risk appetite and tolerances? What other implementation challenges does managing cyber risk, consistent with a Covered Entity’s risk appetite and tolerances, present?

  • What are the incremental costs and benefits of establishing the contemplated standards for the roles, responsibilities, and adequate cybersecurity expertise (or access to adequate cybersecurity expertise) of the board of directors? To what extent do Covered Entities already have governance structures in place that are broadly consistent with the proposed cyber risk governance standards?

  • The Agencies seek comment on the appropriateness of requiring Covered Entities to regularly report data on identified cyber risks and vulnerabilities directly to the CEO and board of directors and, if warranted, the frequency with which such reports should be made to various levels of management? What policies do Covered Entities currently follow in reporting material cyber risks and vulnerabilities to the CEO and board of directors?

  • The Agencies request comment on the comprehensiveness and effectiveness of the proposed standards for internal and external dependency management in achieving the agencies’ objective of increasing the resilience of Covered Entities, third-party service providers to Covered Entities, and the financial sector.

  • How do the proposed internal and external dependency management standards compare with processes already in place at banking organizations?

  • How would the proposed standards for internal and external dependency management impact a Covered Entity's use of a third-party service provider?

  • What additional issues should the agencies consider related to internal and external dependency management and the Covered Entities’ use of third-party service providers? How should those issues be evaluated by the agencies?

  • How well do the proposed standards for incident response, cyber resilience, and situational awareness address the safety and soundness of individual financial institutions and potential systemic cyber risk to the financial sector, including with respect to the testing strategies and approaches? How could they be improved?

  • How do Covered Entities currently evaluate their incident response and cyber resilience capabilities?

  • What factors should the agencies consider essential in considering a Covered Entity's incident response and cyber response capabilities?

  • What other factors should be included within the incident response, cyber resilience, and situational awareness category?

Conclusion

The Agencies will evaluate public comments with respect to the ANPR in developing detailed requirements for enterprise-wide cybersecurity risk management in a Notice of Proposed Rulemaking, which will also be published for public comment. The deadline for submitting public comment to the ANPR is January 17, 2017. The final step in this process after consideration of comments to the Notice of Proposed Rulemaking will be issuance of a Final Rule.