On October 19, 2016, the three major federal banking regulators announced a joint advance notice of proposed rulemaking (ANPR) for enhanced cyber risk management standards (Enhanced Standards) for large and interconnected federally regulated financial institutions and their third-party service providers.1
The ANPR is a joint effort of the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (the Bank Regulators). It describes plans for Enhanced Standards at a conceptual level, and poses 39 questions for comment. Comments are due January 17, 2017. The Bank Regulators plan to use information collected from the ANPR to develop a more detailed proposed rule that will be published for public comment at a later date.
Justifying the need for Enhanced Standards, the Bank Regulators pointed to the increasing dependence of financial institutions on technology, the unique vulnerabilities that arise from cyber-attacks, and the systemic risks to the U.S. economy that arise from the size and interconnectedness of those institutions.
In light of those risks, the purpose of the Enhanced Standards will be to increase the “operational resilience” of large and interconnected entities under the supervision of the Bank Regulators and reduce the potential impact on the financial system in case of a cyber event.2 The Bank Regulators appear to be focused on systemic risks, noting that “a technology failure or cyber-attack at one covered entity could have wide-ranging effects on the safety and soundness of other financial entities[.]”3
As a threshold matter, the Bank Regulators would limit the application of the new standards to “covered entities.” They have proposed limiting covered entities to two categories: (1) banks, bank holding companies, and savings and loan holding companies with at least $50 billion in consolidated assets on an enterprise-wide basis; and (2) nonbank financial companies that the Financial Stability Oversight Council (FSOC) has determined should be supervised by the Federal Reserve (so-called nonbank SIFIs).4 The Bank Regulators are also considering applying the standards to third-party service providers with respect to the services they provide to covered entities. For those providing services to depository institutions and their affiliates, the standards would apply directly, while for those providing services to nonbank SIFIs, the standards would apply indirectly by requiring nonbank SIFIs to verify that their service providers meet the standards that would apply if the services were being conducted by the nonbank SIFIs themselves.
The Bank Regulators are contemplating a comprehensive set of standards, covering everything from board governance and high-level cyber risk management to daily operations and firm cybersecurity culture. Reflecting the breadth of the proposed standards, the Bank Regulators articulated five different categories to capture them:
- Cyber risk governance: Standards in this category could include the development of a “written, board-approved, enterprise-wide cyber risk management strategy that is incorporated into the overall business strategy and risk management of the firm.”5 This would include a requirement to establish cyber risk tolerances consistent with the firm’s risk appetite and strategy, and to manage cyber risk in a way that is appropriate to the nature of the operations of the firm. The Bank Regulators may require the entity’s board to have expertise in cybersecurity or to maintain access to resources or staff with such expertise in order to develop and maintain such a strategy. Covered entities will need board-level competence in cybersecurity sufficient to allow “credible challenge to management in matters related to cybersecurity and the evaluation of cyber risks and resilience.”6
- Cyber risk management: Standards in this category require covered entities to integrate cyber risk management at three levels: (i) at the business unit level; (ii) in an independent risk management function; and (iii) in an audit function. Business units will be required to assess cyber risks associated with the business unit’s activities on an ongoing basis, with reporting and compliance processes sufficient to assure adherence to the cyber risk management framework. Risk management and auditing functions would operate as separate and distinct lines of defense.7
- Internal dependency management: Standards in this category would be directed at intra-organizational cyber risks, including internal workforce, data, technology, and facilities on which the covered institution depends to deliver services. Managing risk in this category could involve (i) an inventory of all business assets, prioritized according to the assets’ criticality to the business functions they support, the firm’s mission, and the financial sector as a whole; (ii) an ongoing assessment of associated cyber risks; and (iii) the development of corresponding controls.8
- External dependency management: Standards in this category will apply to the way covered entities interact with external vendors, suppliers, customers, and utilities on which they depend to deliver services, as well as information flows and interconnections between the covered entity and those external parties. Covered entities will be expected to continually assess and improve, as necessary, their effectiveness in reducing the cyber risks associated with external dependencies and interconnection risks enterprise-wide. This could involve new processes for due diligence, contracting and sub-contracting, onboarding, ongoing monitoring, change management, and off-boarding.9 It also contemplates real-time monitoring of external dependencies and trusted connections and establishing and applying appropriate controls throughout the life span of a relationship with an external partner.
- Incident response, cyber resilience, and situational awareness: Standards in this category will focus on, if and when other controls fail, a covered entity’s ability to plan for, respond to, contain, and rapidly recover from disruptions caused by cyber incidents.10 This could involve developing effective escalation protocols, cyber contagion containment procedures, communications strategies, and feed-back and improvement mechanisms. This could further involve standards for the secure offline storage of critical records, the ability to transfer critical functions to other entities, and the testing and auditing of existing plans and procedures.
The Bank Regulators are also considering a two-tiered approach, in which enhanced standards apply to all systems of covered entities, and additional higher expectations (called sector critical standards) apply to those systems of covered entities that are critical to the financial sector. The systems being considered for sector critical standards by the Bank Regulators are: (1) those that support the clearing or settlement of at least 5% of the value of transactions in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities, corporate debt and equity securities, and other markets (such as exchange-traded and over-the-counter derivatives); and (2) those that support the maintenance of a significant share of the total U.S. deposits or balances due from other depository institutions. Additional factors that could lead to the application of sector critical standards are also being considered, such as a system’s substitutability or interconnectedness. Sector critical standards could be quite burdensome: they may include a requirement to use the “most effective, commercially available controls,” and adoption of a target recovery time of only two hours after a crippling cyberattack.11
This proposal represents the latest development in an accelerating trend of heightened cybersecurity standards for financial institutions. As we reported earlier, the New York Department of Financial Services (DFS) also announced that the financial institutions it regulates will be required to comply with tougher cybersecurity regulations.12 The DFS proposed rules are expected to take effect March 1, 2017. Unlike DFS and some other recent cybersecurity efforts, the Bank Regulators’ proposal is squarely focused on the safety and soundness of financial institutions and the financial system as a whole, and less on consumer protection (e.g., the risk of identity theft after a data breach).
The extent to which compliance with DFS and other cybersecurity rules will constitute compliance with the proposed federal standards is not yet clear, because the proposal is still in its earliest stages and still subject to revision. However, financial service companies subject to the DFS rules should watch developments in this proposal closely for potentially non-overlapping requirements. Further, whether or not they are subject to regulation by DFS, financial service companies will want to follow this proposal as the Bank Regulators clarify its scope with respect to size, level of interconnection with other institutions, and coverage with respect to service providers. 1 Enhanced Risk Management Standards, 81 Fed. Reg. 74315 (Oct. 26, 2016). 2 Id. at 74316. 3 Id. at 74319. 4 Id. at 74318. Nonbank SIFIs include certain insurance holding companies. Certain financial market utilities (FMUs) and financial market infrastructures (FMIs) are also covered. 5 Id. at 74321. 6 Id. 7 Id. at 74321-22. 8 Id. at 74322-23. 9 Id. at 74323-24. 10 Id. at 74324-25. 11 Id. at 74325. 12 See Legal Alert: NY DFS Announces Proposal for Cybersecurity Rules for Financial Services Companies (Sept. 22, 2016).