On October 19, 2016, the Federal Deposit Insurance Corporation, the Federal Reserve Board (“Board”) and the Office of the Comptroller of the Currency (the “OCC”) (collectively, the “Agencies”) released an Advance Notice of Proposed Rulemaking (“ANPR”) laying out a framework for enhanced cyber risk management standards that the Agencies are considering requiring of certain “large and interconnected” financial institutions. The Agencies have not yet proposed specific standards in a formal proposed rule. Instead, the Agencies have laid out a framework that they are considering and have requested comment on a series of questions that will inform a later, more specific proposal.
The ANPR of course comes at a time of heightened regulatory scrutiny regarding cybersecurity and the potential impact on the country’s financial sector. While the ANPR closely follows the Agencies’ release in September of updated examination expectations on information security for all financial institutions subject to the Agencies’ authority, the ANPR is focused specifically on those financial institutions that the Agencies believe are most critical to the country’s financial system and economy. The Agencies highlight that “the increasing interconnectedness of the U.S. financial system” creates the risk that “a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities and introduce potentially systemic consequences.” While the Agencies signaled earlier this year that they were considering new cybersecurity rules, the timing of the ANPR is noteworthy because it closely follows the highly publicized efforts by the New York Department of Financial Service to adopt stringent cybersecurity rules for financial institutions, subject to the Department’s oversight and authority.
Covered Financial Institutions
As noted above, the Agencies are considering applying enhanced cyber risk management standards to “large and interconnected” financial institutions that are subject to the oversight of the Agencies. The focus is financial institutions with total consolidated assets of $50 billion or more, including bank holding companies and banks and thrifts with consolidated assets of $50 billion or more. The Agencies, however, indicate that they are considering applying the enhanced standards on an enterprise-wide basis to include subsidiaries because “cyber risks in one part of an organization could expose other parts of the organization to harm.” In addition, the Board also is considering applying enhanced standards to certain nonbank entities, including certain financial market utilities.
Particularly noteworthy, the Agencies indicate that they are considering applying the same enhanced standards to “third-party service providers with respect to services provided to” covered financial institutions in order to “ensure consistent, direct application of the standards regardless of whether a depository institution or its affiliate conducted the operation itself, or whether it engaged a third-party service provider to conduct the operation.” This is not surprising in light of the Agencies’ ongoing focus on third-party risk management. Nonetheless, the Agencies do not clarify if they envision imposing the enhanced standard on every service provider or only certain service providers that pose cyber risk to a covered financial institution.
Based on the questions asked in the ANPR, the Agencies continue to consider the critical scope question of which entities should be subject to the enhanced standard, including, for example, what asset thresholds are appropriate and how to impose the enhanced standards on service providers if that is in fact appropriate.
Standards Under Consideration
The Agencies are contemplating a two-tiered approach to imposing enhanced cybersecurity standards. Specifically, the Agencies are considering applying enhanced standards to all systems of covered financial institutions, but heightened requirements (i.e., “sector-critical standards”) for systems of covered entities that are critical to the financial sector.
Enhanced Standards for All Systems
The “enhanced” standards that the Agencies are considering for all systems of a covered financial institution would be organized into five categories:
- cyber risk governance (e.g., board of director responsibility for cyber risk management strategy);
- cyber risk management (e.g., an independent cyber risk management function);
- internal dependency management for workforce, data, technology and facilities (e.g., an inventory of all business assets on an enterprise-wide basis);
- external dependency management of relationship with outside vendors, suppliers, customers and other third parties (e.g., monitoring external dependencies and trusted connections); and
- incident response, cyber resilience and situational awareness (e.g., protocols for “secure, immutable, off-line storage of critical records”).
The ANPR lays out specific controls that the Agencies are considering for each category. In this regard, the Agencies note that the five categories are organized in this order “to emphasize the core cyber risk governance and cyber risk management standards” that the Agencies would expect a covered financial institution to develop in order to “establish a foundation for making informed risk-based decisions in support of its business objectives.”
Sector-Critical Systems and Standards
The APNR flags the challenges of defining sector-critical systems. As a starting point, the Agencies point to definitions of “critical financial markets” and “firms that play significant roles in critical financial markets” previously introduced by the Board, the OCC and the Securities and Exchange Commission in a 2003 interagency whitepaper on sound practices to strengthen the resilience of the U.S. financial system. Based on these definitions, the Agencies are considering which systems should be considered sector-critical systems. For example, the Agencies are considering whether systems that support the maintenance of a significant share (e.g., 5%) of the total U.S. deposits or balances due from other depository institutions should be considered sector-critical systems. To address interconnectedness and substitutability factors, the Agencies are considering whether systems that either provide key functionality to the financial sector for which there are limited or no alternatives (or such alternatives would take excessive time to implement) or act as key nodes to the financial sector should be considered sector-critical systems. The Agencies request comment on how to appropriately define “sector-critical systems,” including the thresholds for transactions value in a financial market and whether entities have enough information to determine whether their systems would be considered sector-critical systems.
Moreover, the Agencies are considering proposing heightened sector-critical standards that would require covered entities with sector-critical systems “to substantially mitigate the risk of a disruption due to a cyber event to their sector critical systems.” The standards under consideration are dramatic and not focused simply on risk management in a process sense. For example, the Agencies are considering requiring relevant covered financial institutions to substantially mitigate the risk of a disruption or failure due to a cyber event “by implementing the most effective, commercially available controls.” In addition, the Agencies are considering requiring covered financial institutions to establish recovery time objectives of just two hours for sector-critical systems (validated by testing) to recover from a disruptive, corruptive or destructive cyber event.
While the Agencies have not yet determined the precise regulatory approach for imposing the enhanced cybersecurity standards on “large and interconnected” financial institutions or the entities to which those standards would apply, it is clear that any formal proposal will include heightened expectations that far exceed existing legal requirements and the expectations communicated by the Agencies to date on cybersecurity. The country’s largest financial institutions in particular should closely monitor developments in this space, including a more formal proposed rule that could be issued for comment at some point in 2017. As for now, financial institutions and others can submit comments to the Agencies on the ANPR. Comments are due by January 17, 2017.