On October 19, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Prudential Regulators”) published an advance notice of proposed rulemaking (ANPR) that would require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks. Comments to the ANPR are due January 17, 2017.
The ANPR explains that Prudential Regulators have existing programs that contain supervisory expectations for cybersecurity practices at financial institutions and third-party service providers, such as existing FFIEC standards (please see our recent FFIEC alerts available here and here). The proposed ANPR standards would be integrated into these existing supervisory frameworks.
The ANPR addresses five categories of cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Significant proposals within each category include the following:
- Cyber risk governance – The board of directors of a covered entity would be required to hold senior management accountable for implementing the entity’s cyber risk management framework. The ANPR proposes requiring the board to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. The ANPR also considers requiring senior leaders with responsibility for cybersecurity to be independent of business line management.
- Cyber risk management – The ANPR would require covered entities, to the greatest extent possible, to integrate cyber risk management into the responsibilities of at least three independent functions with appropriate checks and balances. Units responsible for the day-to-day business functions would need to assess, on an ongoing basis, cyber risks associated with the activities of the unit, and that information regarding those risks is shared with senior management, as appropriate, in a timely manner. The ANPR proposes explicitly requiring the audit function of a covered entity to assess whether the cyber risk management framework complies with applicable regulations and is appropriate for the firm’s size, complexity, interconnectedness, and risk profile.
- Internal dependency management – The ANPR would require covered entities to maintain an inventory of all business assets on an enterprise-wide basis, prioritized according to the assets’ criticality to the business functions they support, the firm’s mission and the financial sector. Covered entities would need to track connections among assets and risk levels throughout the life cycles of the assets.
- External dependency management – The ANPR proposes requiring covered entities to have a current, accurate, and complete awareness of, and prioritize, all external dependencies and trusted connections on an enterprise-wide basis, based on their criticality to the business functions they support, the entity’s mission, and the financial sector. Covered entities would be expected to generate and maintain a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions.
- Incident response, cyber resilience, and situational awareness – Covered entities would be required to be capable of operating critical business functions in the face of cyber-attacks and to continuously enhance their cyber resilience. This includes establishing processes designed to maintain effective situational awareness capabilities to reliably predict, analyze, and respond to changes in the operating environment. In addition, the ANPR proposes that covered entities establish and maintain enterprise-wide cyber resilience and incident response programs, with escalation protocols, based on their enterprise-wide cyber risk management strategies and supported by appropriate policies, procedures, governance, staffing, and independent review. These programs would be required to include processes to incorporate lessons learned into the programs.
The Prudential Regulators are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector (“sector-critical systems”). Particularly, the ANPR proposes a requirement that covered entities minimize the residual cyber risk of sector-critical systems by implementing the most effective and commercially available controls. Prudential Regulators are also considering requiring covered entities to establish a recovery time objective (RTO) of two hours for their sector-critical systems.
As the ANPR states, “[a]s technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.” As a result, banks, their boards and third-party vendors should all continue to expect heightened cybersecurity regulations and consider changes to other liability standards that might result from those heightened regulatory expectations.