Federal Banking Agencies Propose "Enhanced Cyber Risk Management Standards" For The Largest Banks
Oct 31 2016
In a major new cybersecurity initiative the federal banking agencies have issued an advanced notice of proposed rulemaking (“APNR”) seeking comment on enhanced cybersecurity standards for banking entities with $50 billion or more in total assets. The standards will apply to US bank and savings and loan holding companies and their subsidiary institutions as well as to foreign bank holding companies with $50 billion or more in US assets. The goal of the joint rulemaking by the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the “Agencies”) is to establish standards making the largest banking entities, and the US financial system itself, more operationally resilient in the event of a cyber attack or disruption experienced by any one such entity. The Agencies are also considering applying the standards to third party servicers that serve the covered entities. Comments on the APNR are due by January 17, 2017.
A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the US financial sector. The Agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm as well.
Though the Agencies already supervise information security at banking organizations, which are required to implement information security programs under the “Interagency Guidelines Establishing Information Security Standards” established pursuant to the Gramm Leach Bliley Act, the Agencies are concerned that “opportunities for high-impact technology failures and cyber-attacks” are increasing as a result of growing reliance on technology in the financial sector. For example, depository institutions play an essential role in payment, clearing and settlement arrangements and provide access to credit to households and businesses. The Agencies are intent upon securing these sector-critical systems by imposing the most stringent standards on the largest covered entities in a tiered manner.
The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber risk governance; continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis. The Agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or “sector-critical standards,” applying to those systems of covered entities that are critical to the financial sector. The “sector-critical standards” would require covered entities to substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.
The ANPR addresses five categories of new cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Among the more potentially significant proposed standards, the Agencies request comment on:
Whatever action is adopted by the Agencies, whether in the form of a new banking regulation, guideline, or guidance, it will likely become a standard for liability, with the Board of Directors -- and third party vendors -- playing a very direct and active role in establishing, enterprise-wide, the banking entity's cybersecurity management framework.