On October 19 2016 the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation (collectively 'the agencies') issued a joint advanced notice of proposed rulemaking (ANPR) inviting comment regarding enhanced cyber-risk management standards for large and interconnected entities under their supervision and those entities' service providers.(1) As financial technology continues to advance, the largest, most complex financial institutions are increasingly relying on technology to carry out their banking activities and to provide critical services to the financial sector and the US economy. In the event of a cyber-attack on a covered entity, the ANPR is intended to enhance the covered entity's ability to continue to function and to reduce the overall impact on the financial system resulting from interconnectedness.
The agencies have existing supervisory programmes with general expectations for cybersecurity practices at depository institutions, their holding companies and third-party service providers. The enhanced standards that would eventually result from the ANPR would be integrated into the existing framework by establishing increased supervisory expectations for the entities and services that potentially pose a heightened cyber-risk to the safety and soundness of the financial sector. The agencies are also considering implementing the enhanced standards in a tiered manner and imposing more stringent standards on those entities critical to the functioning of the financial sector. The ANPR is structured as a discussion of proposals that the agencies are considering along with specific questions for which the agencies are seeking input. Comments on the ANPR are due by January 17 2017.
The agencies are considering applying the enhanced standards enterprise-wide to certain entities with total consolidated assets of $50 billion or more. The enhanced standards would apply to US bank holding companies, savings and loan holding companies and federal and state-chartered banks and savings associations that meet or exceed the asset threshold, and US operations of foreign banking organisations with total US assets of $50 billion or more. Additionally, the agencies are considering whether to extend the enhanced standards to non-bank financial institutions supervised by the Federal Reserve Board and designated financial market utilities and other financial market infrastructure over which the Federal Reserve Board has primary supervisory authority because they are members of the Federal Reserve System. Furthermore, the agencies are considering whether to apply the enhanced standards directly or via contract to third-party service providers with respect to services provided to depository institutions and their affiliates that are covered entities.
The enhanced standards would emphasise the need for covered entities to:
- demonstrate effective cyber-risk governance;
- continuously monitor and manage their cyber-risk within the risk appetite and tolerance levels approved by their boards of directors;
- establish and implement strategies for cyber resilience and business continuity in the event of a disruption;
- establish protocols for secure, immutable, transferable storage of critical records; and
- maintain continuing situational awareness of their operational status and cybersecurity posture enterprise-wide.
The standards would be organised into five categories:
- cyber-risk governance;
- cyber-risk management;
- internal dependency management (ie, management of business assets upon which an entity depends to deliver services);
- external dependency management (ie, management of an entity's relationships with outside vendors, suppliers, customers, utilities and other organisations upon which an entity depends to deliver services and the interconnections of the entity and those parties); and
- incident response, cyber resilience and situational awareness.
Notably, as part of the external dependency management standard, the agencies are considering a requirement that covered entities have the ability in real time to monitor all external dependencies and trusted connections enterprise-wide and to prioritise them based on their criticality to the business functions they support, the firm's mission and the financial sector. Also, as part of the incident response, cyber resilience and situational awareness standard, the agencies could include a requirement that covered entities establish plans and mechanisms to transfer business, where feasible, to another entity or service provider with minimal disruption and within prescribed timeframes if the original covered entity or service provider is unable to perform.
As discussed above, the agencies are considering establishing a two-tiered approach to implementing the enhanced standards. The general enhanced standards would apply to all systems of covered entities and an additional, higher set of expectations, referred to as "sector-critical standards", would apply to those systems of covered entities critical to the financial sector. As part of the sector-critical standards, the agencies are considering requiring covered entities to establish a recovery time objective of two hours for their sector-critical systems to recover from a cyber event. The agencies are considering whether to include the following systems within the scope of the sector-critical standards:
- systems that support the clearing or settlement of at least 5% of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, US government and agency securities, and corporate debt and equity;
- systems that support the clearing or settlement of at least 5% of the value of transactions (on a consistent basis) in other markets (eg, exchange-traded and over-the-counter derivatives); and
- systems that support the maintenance of a significant share (eg, 5%) of the total US deposits or balances due from other depository institutions in the United States.
The agencies are considering three possible approaches to implement the enhanced standards:
- as a combination of regulatory requirements along with a policy statement or guidance;
- as regulations that impose specific cyber-risk management standards; or
- as a more detailed regulatory framework, including specific objectives and practices.
For further information on this topic please contact Joel D Feinberg, David E Teitelbaum or Stanley J Boris at Sidley Austin LLP by telephone (+1 202 736 8000) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Sidley Austin website can be accessed at www.sidley.com.
(1) The ANPR was published in the Federal Register on October 26 2016. The ANPR is available at www.gpo.gov/fdsys/pkg/FR-2016-10-26/pdf/2016-25871.pdf (81 Fed Reg 74,315, Oct 26 2016).
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.