On October 19, 2016, the Board of Governors of the Federal Reserve System ("Federal Reserve"), Office of the Comptroller of the Currency ("OCC") and Federal Deposit Insurance Corporation (collectively, the "Agencies") issued an advance notice of proposed rulemaking (the "ANPR") indicating that they were considering establishing new heightened cyber risk management standards ("Enhanced Standards") for certain large financial institutions and their service providers ("Covered Entities").1
The Enhanced Standards under consideration "would be designed to increase covered entities' operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management." They would apply to "the largest and most interconnected entities under [the Agencies'] supervision, as well as for services that these entities receive from third parties" and reflect the Agencies' concern that "a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences." Under a "two-tiered" approach, higher standards would apply to Covered Entities "that are critical to the financial sector."
Comments on the ANPR are due by January 17, 2017. The Agencies plan to issue a formal proposal laying out the Enhanced Standards in greater detail after considering these comments.
The Agencies are considering imposing Enhanced Standards on an enterprise-wide basis to entities including:
- US bank holding companies and US savings and loan holding companies ("SLHCs") with total consolidated assets of $50 billion or more (including SLHCs that engage significantly in insurance or commercial activities);
- US operations of foreign banking organizations with total US assets of $50 billion or more;
- National and state banks and savings associations with total consolidated assets of $50 billion or more that are not part of a holding company structure;
- Nonbank financial companies supervised by the Federal Reserve under Section 165 of the Dodd-Frank Act (e.g., non-bank SIFIs); and
- Financial market infrastructures supervised by the Federal Reserve or operated by the Federal Reserve Banks.
The Agencies are also considering applying these Enhanced Standards to certain thirdparty service providers.
The ANPR contemplates a "two-tiered approach" under which the Enhanced Standards would apply to all Covered Entities "and an additional, higher set of expectations, referred to . . . as `sector-critical standards,' [would apply] to those systems of covered entities that are critical to the financial sector." This subset of entities is not clearly defined in the ANPR, but the Agencies appear to consider a 5 percent market share in a relevant market (e.g., clearing and settlement of federal funds transactions, foreign exchange, commercial paper, US government and agency securities or bank deposits) to be a relevant starting point. The Agencies also indicate that factors such as "substitutability and interconnectedness" could factor into criticality determinations and seek comment on how to make such determinations or establish standards.
The Enhanced Standards
The Enhanced Standards would be organized into the following five categories: (i) cyber risk governance; (ii) cyber risk management; (iii) internal dependency management; (iv) external dependency management; and (v) incident response, cyber resilience and situational awareness. The ANPR discusses each category of Enhanced Standards and includes a number of specific questions for commenters relating to each category. A high-level summary of each category of Enhanced Standards is set forth below.
Cyber Risk Governance. A Covered Entity would be expected to implement a formal
cyber risk management strategy as well as a supporting framework of policies and procedures to implement the strategy. Some of these concepts and requirements are substantially similar to the general risk management requirements contained in the OCC's heightened expectations standards and the Federal Reserve's enhanced prudential standards. In particular, the Covered Entity's board of directors or a committee of the board would have responsibility for approving the cybersecurity risk management strategy and holding senior management responsible for implementing policies consistent with the strategy. The Enhanced Standards would require increased involvement by the board in the Covered Entity's cybersecurity strategy and implementation. For example, the Agencies are considering requiring that the board have "the ability to provide credible challenge to management in matters relating to cybersecurity." To effectively discharge such obligations, the Agencies are considering a requirement that boards have adequate expertise in cybersecurity or have access to staff or resources with this expertise.
Cyber Risk Management. A Covered Entity would be expected to integrate cyber risk management responsibilities into the procedures and processes of its (i) business units, (ii) independent risk management function and (iii) internal audit department. This is a similar approach to the three lines of defense risk-management model used by most large banking organizations. Under the Enhanced Standards, as contemplated, an independent risk management function would report to the board of directors and executive management and be required to identify, measure, and monitor cyber risk across the enterprise.
Internal Dependency Management.
Internal dependency management would involve the creation and implementation of a strategy to identify and manage cyber risks associated with business assets, such as a Covered Entity's workforce, data, technology, and facilities. It would require a Covered Entity to map how specific business assets support specific business functions. This approach would be designed to ensure that "[C]overed [E]ntities have effective capabilities in place to identify and manage cyber risks associated with their business assets (e.g., employees, data, technology and facilities) through their lifespans." According to the Agencies, these "risks may arise from a wide range of sources, including insider threats, data transmission errors, or the use of legacy systems acquired through a merger."
External Dependency Management.
Enhanced Standards relating to external dependency management would require that the entity have capabilities to identify and manage cyber risks associated with a Covered Entity's outside vendors, suppliers, customers, utilities and other third-party service providers as well as risks associated with the interconnection points between a Covered Entity and third parties. The focus on external dependencies and the risks presented is consistent with the Agencies' general concerns about vendor management and third-party risks in connection with cybersecurity. As with the recent proposal by the New York State Department of Financial Services, vendors to the financial services industry may face a number of additional requirements with respect to their cybersecurity readiness.
Incident Response, Cyber Resilience and Situational Awareness. Covered Entities would be required to have capabilities and processes to continue operating critical business functions during a cyber attack and to predict, analyze and respond to changes in their operating environments. Cyber resilience strategies and exercises would be required to consider wide- scale breach recovery scenarios and be designed to support sector-wide resilience in the financial sector and minimize the risks to or from interconnected parties. Furthermore, the Enhanced Standards would require Covered Entities to establish recovery times for certain cyber attacks and to continue performing core business functions in the event of a disruption. The Agencies also are considering whether to require protocols for secure, immutable off-line storage of critical records (including loan data, asset management account information and daily deposit account balances).
Enhanced Standards for Sector-Critical Systems
If a Covered Entity operates a system critical to the functioning of the financial sector, a more stringent set of the Enhanced Standards would apply. As noted above, the ANPR does not clearly define these systems or how they would be identified. The Agencies indicate that these entities likely include those Covered Entities providing core clearing and settlement services and "other large, interconnected financial systems where a cyber-attack or disruption also could have significant impact on the U.S. financial system." The ANPR discusses three elevated Enhanced Standards: (i) minimizing residual cyber risk by implementing "the most effective, commercially available controls"; (ii) a recovery time objective ("RTO") of two hours following the occurrence of a cyber event; and (iii) for Federal Reservesupervised entities, qualitative measurement of cyber risk and reduction of that risk to a "minimal level."
Quantifying Cyber Risk
The ANPR discusses the Agencies' aim to develop a methodology for measuring cyber risk that can be used in a consistent and repeatable manner by all Covered Entities.
With respect to this point, the Agencies are particularly interested in comments on potential methodologies to quantify inherent and residual cyber risk and compare entities across the financial sector.
Implementation of the Enhanced Standards
The ANPR solicits comments on the method that the Agencies should use to promulgate any Enhanced Standards. The ANPR identifies three possible approaches: (i) issuance of a regulatory requirement to maintain a risk management framework, along with a policy statement or guidance (similar to the Interagency Guidelines Establishing Information Security Standards) that describes "minimum expectations for the framework"; (ii) issuance of a regulation that imposes specific cyber risk management standards that Covered Entities would be expected to implement; or (iii) issuance of a regulation like that contemplated in the second option, along with more "details on the specific objectives and practices a firm would be required to achieve in each area."
The ANPR reflects financial regulators' ongoing concern with cyber risks and their continued scrutiny of cybersecurity practices. Interested parties should consider commenting on the ANPR and should monitor developments closely as this process continues. Regardless of its outcome, regulated entities should expect cybersecurity issues to feature prominently in the supervisory, investigatory and policymaking contexts.