To address the increasing risk of technology failures and cyber-attacks affecting the largest banking organizations, an advance notice of proposed rulemaking titled Enhanced Cyber Risk Management Standards (the ANPR) was recently issued by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (collectively, the agencies). The ANPR contemplates guidance or regulations that would impose a series of information security requirements for the largest, most interconnected financial institutions providing payment services and credit, along with their affiliates and service providers. Below we summarize the ANPR and provide thoughts on the environment for new cyber risk regulations.
Scope and Overview.
The ANPR envisions enhanced cyber risk management standards for a large, interconnected banking organization – defined generally as a depository or other supervised institution with over $50 billion in consolidated assets – and its affiliates and service providers. The standards would consist of a baseline level of enhanced standards, along with a series of heightened “sector-critical standards” for systems that are critical to the entire financial sector. A system would be considered “sector-critical” if it involves the clearing or settlement of at least five percent of the value of transaction for certain markets, including federal funds, foreign exchange, or commercial paper, among others, or maintenance of a significant share of US deposits.
The enhanced standards are contemplated to cover five categories:
- Cyber risk governance. This category would address the development and maintenance of a formal cyber risk management strategy, policies and procedures to implement the strategy, and integration of the strategy in overall strategic plans and risk governance structures. It contemplates a board-approved, enterprise-wide cyber risk management strategy that details the entity’s cyber risk tolerance, how it would address inherent cyber risk, and how it would maintain acceptable levels of residual cyber risk. The ANPR also considers a requirement that senior leaders responsible for cyber security operate independently from business line management and report directly to the board.
- Cyber risk management. In contrast to governance, this category would address conduct or activities. Generally speaking, a business unit would be required to: (i) adhere to cyber risk policies and procedures; (ii) incorporate an independent risk management function for enterprise-wide cyber risk management that reports directly to the chief risk officer and board; and (iii) incorporate cyber risk management into the overall audit plan and assess its compliance with applicable laws and regulations.
- Internal dependency management. This category would require that an entity maintain a complete enterprise-wide awareness of functions supporting a cyber risk management strategy in order to continually assess and improve the effectiveness of its cyber risk reduction efforts. Controls would include the assessment of cyber risk before assets are deployed, continuous application of controls, and the mitigation of any identified deviations.
- External dependency management. This category would require that interconnection risks be managed through monitoring external third party relationships on which an entity’s cyber risk management strategy depends, including prioritized monitoring efforts, incident response and notifications, and critical systems recovery. The agencies also contemplate standards for periodic tests of alternative solutions if an external provider fails to perform as expected.
- Incident response, cyber resilience, and situational awareness. This function would enable an organization to “anticipate, withstand, contain, and rapidly recover from a disruption caused by a significant cyber event.” It would include escalation protocols, containment procedures, and communication strategies to be activated in the event of a cyber incident and consider wide-scale recovery scenarios for core business functions. In some cases, an entity’s measures would involve protocols for “secure, immutable, off-line storage of critical records….”
the most effective, commercially available controls”
and a recovery time for sector-critical systems of two hours from a cyber event. The recovery time would need to be validated by testing of a range of severe but plausible scenarios that challenge the entity’s governance structures and policies and procedures.
Quantitative Measurement of Cyber Risk.
The ANPR also seeks methods to quantitatively measure an entity’s ability to reduce its aggregate residual cyber risk to a minimal level, but the methodology for such measurements is yet to be determined. The ANPR seeks comment on quantitative measures that would permit such industry-wide comparisons.
Our Take on the Environment for New Cyber Risk Regulations.
The ANPR is further evidence of an enhanced regulatory focus on cyber security risks and highlights the impact these risks could pose to the stability of the financial sector as a whole. This latest response – introducing enhanced standards for large, interconnected financial entities that pose heightened cyber risk to the financial sector – appears to identify a perceived gap in regulatory coverage among the numerous information security requirements and guidance that currently exists, including
- the Uniform Rating System for Information Technology,
- the FFIEC IT Handbook and Cybersecurity Assessment Tool,
- the Interagency Guidelines Establishing Information Security Standards under the Gramm-Leach-Bliley Act,
- the NIST Cybersecurity Framework,
- the CPMI-IOSCO guidance on cyber resilience for financial market infrastructures,
- and the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.
We anticipate that the regulatory approach contemplated here will be heavily scrutinized by affected industry participants, particularly with regard to issues that will require significant costs and operational challenges to implement, such as the proposed two hour recovery time for sector critical systems of covered entities. In this ANPR, the initiative to adopt multi-layered requirements and detailed technical and operational standards for the largest, most interconnected financial institutions signals a willingness by regulators to shift away from general guidance. As we noted recently in our analysis of the New York Department of Financial Services Proposed Cyber Security Program and Policies, whether the detailed requirements in these regulations can remain current or effective as financial services companies adopt new and enhanced technologies is yet to be seen.
Comments on the ANPR are due Jan. 17, 2017. Financial institutions and their service providers potentially affected by the requirements contemplated above should consider filing comments and/or engaging with trade associations to provide feedback on the ANPR.