In a major new cybersecurity initiative the federal banking agencies have issued an advanced notice of proposed rulemaking (“APNR”) seeking comment on enhanced cybersecurity standards for banking entities with $50 billion or more in total assets. The standards will apply to U.S. bank and savings and loan holding companies and their subsidiary institutions as well as to foreign bank holding companies with $50 billion or more in U.S. assets. The goal of the joint rulemaking by the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the “Agencies”) is to establish standards making the largest banking entities, and the U.S. financial system itself, more operationally resilient in the event of a cyber attack or disruption experienced by any one such entity. The Agencies are also considering applying the standards to third party servicers that serve the covered entities. Comments on the APNR are due by January 17, 2017.
A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector. The Agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm as well.
Though the Agencies already supervise information security at banking organizations, which are required to implement information security programs under the "Interagency Guidelines Establishing Information Security Standards" established pursuant to the Gramm Leach Bliley Act, the Agencies are concerned that "opportunities for high-impact technology failures and cyber-attacks" are increasing as a result of growing reliance on technology in the financial sector. For example, depository institutions play an essential role in payment, clearing and settlement arrangements and provide access to credit to households and businesses. The Agencies are intent upon securing these sector-critical systems by imposing the most stringent standards on the largest covered entities in a tiered manner.
The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber risk governance; continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis. The Agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or "sector-critical standards," applying to those systems of covered entities that are critical to the financial sector. The "sector-critical standards" would require covered entities to substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.
The ANPR addresses five categories of new cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Among the more potentially significant proposed standards, the Agencies request comment on:
(1) Cyber Risk Governance - the enhanced standards would require the institution's Board of Directors, or an appropriate Board committee, to develop and approve a written, enterprise-wide cyber risk management strategy and to hold senior management accountable for implementing appropriate policies to effectuate the strategy. This would include requiring senior leadership with cyber risk oversight responsibility to have direct Board access and to be independent of business line management.
(2) Appropriate Cyber Risk Management – the enhanced standards would require the covered entities to integrate cyber risk management into at least three independent functions (such as the three lines of defense risk management model), with checks and balances. As part of this proposed enhanced standard, business units would be required to adhere to procedures and processes necessary to comply with the covered entity’s cyber risk management framework. The agencies are also considering a requirement that covered entities incorporate enterprise-wide cyber risk management into the responsibilities of an independent risk management function. In addition, the agencies are considering explicitly requiring the audit function to assess whether the cyber risk management framework of a covered entity complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness and risk profile.
(3) Internal Dependency Management – the enhanced standards would require that covered entities have effective capabilities to be able to identify and address cyber risks associated with their workforce, data, technology, and facilities. These capabilities require ongoing assessment and improvement needed to reduce cyber threats. This could include a requirement to integrate an internal dependency management strategy into an overall strategic risk management plan.
(4) External Dependency Management - policies, standards, and procedures for external dependency management oversight would be required to be established and regularly updated, with appropriate controls, for due diligence, contracting and subcontracting, onboarding, ongoing monitoring, change management, and offboarding. This emphasis on third party access points appears to be in part a reaction to hackers gaining access to financial institutions such as a foreign bank through the Society for Worldwide Interbank Financial Telecommunication (SWIFT), and access to a major retailer's payment card systems through an HVAC vendor. These policies and procedures could introduce new tensions in dealings with third party vendors.
(5) Incident Response, Cyber Resilience, and Situational Awareness - covered entities would be required to be capable of operating critical business functions following cyber attacks and to maintain “enterprise-wide cyber resilience” and incident response programs, including, effective escalation protocols, cyber contagion containment procedures, and communication strategies. The Agencies are specifically considering requiring covered entities to establish a recovery time objective (“RTO”) of two hours for their sector-critical systems, validated by testing, to recover from a disruptive cyber attack.
Whatever action is adopted by the Agencies, whether in the form of a new banking regulation, guideline, or guidance, it will likely become a standard for liability, with the Board of Directors -- and third party vendors-- playing a very direct and active role in establishing, enterprise-wide, the banking entity's cybersecurity management framework.