On October 19, 2016, three US financial regulators – the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation (collectively, the “Agencies”) – issued a joint Advance Notice of Proposed Rulemaking (“ANPR”) seeking comments by all stakeholders on enhanced cyber risk management standards. Historically, US regulators have provided non-mandatory guidelines for cybersecurity best practices for voluntary compliance by financial institutions to ensure preparedness in face of cyber threats. For the first time, the ANPR outlines proposals for minimum binding standards that would be applicable to some of the largest regulated institutions in the US with consolidated assets of US$50 billion or more on an enterprise-wide basis. These binding standards indicate a shift in the approach adopted by US regulators from a lenient oversight to one that is more prescriptive.
Notably, the proposals are also applicable to certain nonbank financial institutions (“NBFI”), as well as third-party service providers used by regulated financial institutions. NBFIs include non-licensed financial institutions that facilitate financial services such as online brokerages and third-party service providers include those entities that provide payments processing, core banking and other financial technology services. The expansive nature of the ANPR’s scope further indicates the Agencies’ vision for more detailed regulation of the financial sector’s cybersecurity preparedness than previously.
While the enhanced standards will be baseline minimums applicable to all covered entities, the ANPR proposes an additional higher set of standards for those financial institutions with “sector-critical systems.” The Agencies define critical elements of the US financial system to include markets for commercial paper, corporate debt and equity, and US government bonds. Financial institutions that will be held to the additional set of standards are then defined as those that play a role in critical markets with sufficient market share such that their failure to settle their own or their customers’ material pending transactions by the end of business day could present systemic risk.
The ANPR divides the minimum proposed standards into five categories:
- Refers to maintaining a formal cyber risk strategy integrated into risk governance structures; requires board of directors to develop written, enterprise-wide cyber risk strategy, approve cyber risk appetite and tolerances, and oversee and hold senior management accountable for implementing policies; proposal would require members of the board of directors to have adequate expertise in cybersecurity to be able to credibly carry out their role.
- Proposal would require business units responsible for day-to-day operations to frequently assess the cyber risks associated with their activities, comply with the entity’s own cyber risk management framework, and report vulnerabilities and threats to senior management.
- Proposal recommends establishment of an independent risk management function within the entity to analyze, respond and promptly notify issues related to cyber risk at the enterprise level; an additional audit function is also proposed to frequently evaluate the efficacy of established policies and protocols.
Internal Dependency Management
- Refers to the cyber risks associated with an entity’s own business assets e.g. insider threats, data storage policies and use of legacy systems acquired through acquisitions; the internal dependency strategy would form part of the broader cyber risk management plan implemented by the entity to ensure risks from internal dependencies are minimized by keeping inventory and mapping all vulnerable assets to ensure monitoring and adequate levels of incident response.
External Dependency Management
- Refers to cyber risks associated with an entity’s relationships with outside vendors, suppliers, customers and other service providers; similar to internal dependency mechanisms requiring awareness of all possible external risk sources, as well as defined policies to ensure effective monitoring and incident response.
Incident Response, Cyber Resilience and Situational Awareness
- Refers to an entity’s ability to maintain critical functionality in the event of cyber security incidents or disruptions; the proposals require establishing recovery time objectives, as well as developing protocols for secure, immutable off-line preservation of critical records in the event of a significant cyber event.
Impact of Proposed US Regulations on Canadian Financial Institutions
In light of the proposed enhanced standards, Canadian financial institutions should carefully consider any potential consequences and liabilities arising out of recent or future acquisition activity in the US. The Agencies are considering applying the enhanced standards on the US operations of foreign banking organizations with total US assets of US$50 billion or more. Canadian financial institutions expanding their footprint in the US run the risk of being subject to these mandatory minimum standards in the future, if their US asset base does not already exceed the threshold.
The binding nature of the proposed US Regulations will also likely catch the attention of Canadian regulators. In 2013, the Office of the Superintendent of Financial Institutions (“OSFI”) introduced a voluntary Cybersecurity Self-Assessment Guideline (the “Guideline”) and allowed federally regulated financial institutions (“FRFIs”) to assess their own levels of preparedness and respond to any perceived gaps or weaknesses.
Notably, OSFI stated at the time that while it encouraged FRFIs to utilize the Guideline, it did not plan to establish specific guidance for the control and management of cyber risk. OSFI did however reserve the right to specifically request completion of the otherwise voluntary self-assessment, or emphasize certain best practices in future supervisory circumstances. Since 2013, OSFI has made no substantial changes to the Guideline, limiting its updates to improved guidance in light of an evolving understanding of the cybersecurity threat. (By way of contrast, the New York Department of Financial Services (“NYDFS”) recently announced its first State-level regulations for cybersecurity applicable to financial institutions – see our blog post here.)
The existing Guideline prescribed by OSFI touch upon most, if not all, of the key priority areas identified by the ANPR. Ins far as the difference between a voluntary and mandatory system goes, the OSFI self-assessment template leaves it to FRFIs to devise mechanisms and methods of achieving the stated diligence goals. The ANPR recommends specific methods and procedures.
Despite the differences in policy mechanisms between Canada and the US, it is not inconceivable that Canadian regulators could eventually shift towards binding standards in the future, though there is nothing right now to indicate such a move is being considered. However, the risks posed by cyber threats to the financial system are evolving rapidly and Canadian regulators may prefer to share the burden of ensuring steadfastness in face of these risks with all participants of the financial system. The Bank of Canada has also touted the mirror-like similarities of the Canadian approach to cybersecurity policy guidance and stress testing as compared to other jurisdictions like the US and UK. If these and other countries decide to embark on a trend of binding standards, Canadian regulators may start examining a similar direction could follow suit to ensure they are in line with accepted global regulatory thinking.