Earlier this week, the Federal Reserve Board, the OCC, and the FDIC issued a joint advanced notice of proposed rulemaking outlining expectations and seeking public comment on enhanced cyber-risk management standards. This is the most recent in the ongoing efforts and attention from federal regulators to provide what OCC Comptroller Thomas J. Curry described as “a comprehensive, cross-agency, cross-border response” to cybersecurity risk.
Earlier this year, SEC Chair Mary Jo White described cybersecurity as “one of the greatest risks facing the financial services industry.” These risks are not limited to financial institutions and, in connection with the announcement of The Comprehensive National Cybersecurity Initiative, “President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter.”
Expansion, not substitution. The proposal represents enhanced standards that would be “integrated into the existing supervisory framework,” which includes the Financial and Banking Infrastructure Committee of the President’s Working Group on Financial Markets, the Financial Stability Oversight Council, and the FFIEC with its IT Handbooks and related Cybersecurity Awareness tools and resources for financial institutions.
Scope of proposal’s coverage. The agencies would apply enhanced standards to entities within their jurisdiction with total consolidated assets of $50 billion or more on an enterprise-wide basis. This would include, for the OCC, all national banks, federal savings associations, and federal branches of foreign banks, and, for the FDIC, all state non-member banks, that together with their subsidiaries have $50 billion or more in total assets. As it relates to the Federal Reserve Board, the enhanced standards would apply to:
- US bank holding companies and savings and loan holding companies
- US operations for foreign banking organizations, including state-regulated branches of foreign banks and
- Institutions subject to enhanced supervision under Section 165 of the Dodd-Frank Act – the so-called nonbank SIFIs
… in each case, with assets that meet or exceed the threshold.
Importantly, the proposal takes an enterprise-wide approach to application, meaning nonbank subsidiaries of holding companies would be held to the standards due to their “potential to act as a point of vulnerability” to the banks. Similarly, third-party services providers will be held to these standards to the extent they provide services to covered entities. The agencies are clear with respect to third-party service providers that the standards have “direct application,” meaning the federal banking agencies could impose supervisory actions directly against such vendors that fail to meet the standards.
Identified expectations. While all systems will have enhanced standards, covered entities must identify systems which present “sector-critical” risks, as those will be held to “an additional, higher set of expectations.” Sector-critical systems, which generally interconnect across institutions with the ability to impact the financial services sector as a whole if disrupted, must have the most effective commercially available controls and recovery to functionality of two hours or less after a cyberattack.
For all systems, covered entities must demonstrate:
- effective cyber-risk governance
- continuous monitoring and management of cyber-risk within levels approved by their boards of directors
- strategies for cyber-resilience and business continuity in the event of a disruption
- protocols for secure, immutable, transferable storage of critical records and
- continuing enterprise-wide awareness of operational status and cybersecurity.
Enhanced cyber-risk standards are divided into five categories.
Category 1: Cyber-risk governance, inclusive of formal cyber-risk management strategies; defined risk tolerances; identified activities and products that present the most exposure; approved policies and procedures; and board and board committee involvement.
Category 2: Cyber-risk management, which would require ongoing risk assessments at the business unit level; independence of risk management; and audit of the program’s effectiveness, controls, and governance.
Category 3: Internal dependency management, which must consider the interrelationship of diverse sources of risk such as insiders, data transmission, and legacy systems acquired through a merger; well defined roles and responsibilities; and “complete awareness of all internal assets and business functions that support a firm’s cyber risk management strategy.”
Category 4: External dependency management, designed to monitor, mitigate, and respond to cyber-risks presented by dependents outside the organization such as vendors and customers as well as the means by which internal parties communicate, with the ability for timely identification and response to external disruptions.
Category 5: Incident response, cyber-resilience, and situational awareness, under which regulators will assess the institution’s ability to maintain critical functionality in the face of cyberattacks and disruptions, with key attributes being redundant data and processes, substitutable systems, and periodic disruption testing.
The first two categories are designed to emphasize the importance of “a foundation for making informed risk-based decisions in support of its business objectives.” The proposal considers an explicit mandate for senior leaders in the cybersecurity program to be independent of business.
Following the discussions in the proposal of each of these categories, as well as elsewhere in the document, the agencies provide a list of specific questions for which they are soliciting feedback by January 17, 2017. The means by which any final guidance is communicated is, as yet, unclear. Possible options include agency-issued policy statements and proposed regulations with varying degrees of detail or specificity.
In any case, institutions can be certain that cyber-risk management is a priority for the federal banking agencies and will be a continued focus during periodic examinations and otherwise.