Banks may face enhanced cyber-risk management rules

The three federal banking regulatory agencies have issued an advance notice of proposed rulemaking (ANPR) that seeks industry comments on enhanced cyber-security risk-management and resilience standards. The requirements would apply to both large, interconnected entities under their supervision and to services provided by third parties to these firms.

The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve. The proposed standards would not apply to community banks.

The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber-event.

The ANPR addresses five categories: cyber-risk governance; cyber-risk management; internal dependency management; external dependency management; and incident response, cyber-resilience, and situational awareness.

Due to the interconnectedness of the U.S. financial system, a cyber-incident or failure at one interconnected entity “may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the ANPR says. For example, depository institutions and depository institution holding companies play an important role in U.S. payment, clearing, and settlement arrangements and provide access to credit for businesses and households.

The agencies are considering, as an enhanced standard, a requirement that covered entities develop a written, board-approved, enterprise-wide cyber-risk management strategy that is incorporated into the overall business strategy and risk management of the firm. The strategy would articulate how a firm intends to address its inherent cyber-risk (before mitigating controls or other factors are taken into consideration) and how it would maintain an acceptable level of residual cyber-risk (after mitigating controls and other factors have been taken into consideration) and maintain resilience on an ongoing basis.

Firms would also be required to establish, with board-level review, cyber-risk tolerances consistent with the firm’s risk appetite and strategy, and manage risk appropriate to the nature of the operations of the firm.

The board of directors would oversee and hold senior management accountable for implementing the firm’s cyber-risk management framework. The agencies are considering a requirement that directors have adequate expertise in cyber-security, or maintain access to resources or staff with this specific expertise. The standards would require the board of directors “to have and maintain the ability to provide credible challenge to management in matters related to cyber-security and the evaluation of cyber-risks and resilience.”

Also under consideration is requiring senior leaders with responsibility for cyber-risk oversight to be independent of business line management. Senior leaders would need to have direct, independent access to directors and would independently inform them, on an ongoing basis, of cyber-risk exposure and risk management practices, including known and emerging issues and trends.

Firms would be required to establish an enterprise-wide cyber-risk management framework that includes policies and reporting structures to support and implement the mitigation strategy. The firm would be required to include in its framework delineated cyber-risk management and oversight responsibilities, including reporting structures and expectations for independent risk management, internal control, and internal audit personnel; established mechanisms for evaluating whether the organization has sufficient resources to address the cyber-risks; and established policies for addressing any resource shortfalls or knowledge gaps. The framework would also include procedures for testing the effectiveness of the firm’s cyber-security protocols and updating them as the threat landscape evolves.

In general, the enhanced standards would require firms, to the greatest extent possible and consistent with their organizational structure, to integrate cyber-risk management into the responsibilities of at least three independent functions (such as the three lines of defense risk-management model) with appropriate checks and balances. This would allow them to more accurately and effectively identify, monitor, measure, manage, and report on cyber-risk.

Another requirement under consideration would require that the units responsible for day-to-day business functions assess, on an ongoing basis, the cyber-risks associated with the activities of their business units, ensuring that information regarding those risks is shared with senior management, including the chief executive officer, as appropriate and in a timely manner.

The agencies are also considering a requirement that firms incorporate enterprise-wide cyber-risk management into the responsibilities of an independent risk management function. This function would report to the covered entity’s chief risk officer and board of directors.

As for the audit function, a proposed rule could explicitly require it to assess whether the cyber-risk management framework of a covered firm complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness, and risk profile. An assessment of cyber-risk management would be incorporated into the overall audit plan.

As noted in the ANPR, the term “external dependencies” refers to a covered entity’s relationships with outside vendors, suppliers, customers, utilities, and other external organizations and service providers, as well as the information flows and interconnections between the firm and those external parties. Firms could be required to integrate an external dependency management strategy into the overall strategic risk management plan; and establish effective policies, plans, and procedures to identify and manage real-time cyber risks associated with external dependencies, particularly those connected to or supporting sector-critical systems and operations.

“The preservation of critical records in the event of a large-scale or significant cyber event is essential to maintaining confidence in the banking system and to facilitating resolution or recovery processes after a catastrophic event,” the ANPR says. Firms may be required to establish protocols for secure off-line storage of critical records (including financial records of the institution, loan data, asset management account information, and daily deposit account records) formatted using certain defined data standards to allow for restoration of these records by another financial institution, service provider, or the FDIC in the event of resolution.

The agencies are also considering a requirement for firms is to establish plans and mechanisms to transfer business, where feasible, to another entity or service provider with minimal disruption and within prescribed time frames if the original covered entity or service provider is unable to perform.

Among the questions posed in the release:

What are the costs and benefits of applying the standards to covered entities on an enterprise-wide basis?

If the agencies were to consider exempting certain subsidiaries within a covered entity from the standards, what criteria should be used to assess any such exemptions?

What, if any, special considerations should be made regarding application of the standards to savings and loan holding companies that engage significantly in insurance or commercial activities?

What are the most effective ways to ensure that services provided by third-party service providers to covered entities are performed in such a manner as to minimize cyber-risk?

What factors are most important in determining an appropriate balance between protecting the safety and soundness of the financial sector through the possible application of the standards and the implementation burden and costs associated with implementing the standards?

What factors should the agencies consider in a measure of interconnectedness resulting in a system being determined as critical to the financial sector, and how should such factors be weighted?

How would a covered entity determine that it is managing cyber-risk consistent with its stated risk appetite and tolerances?

What policies do covered entities currently follow in reporting material cyber risks and vulnerabilities to the CEO and board of directors?

Besides the approach outlined in the ANPR, what other approaches could ensure that entities are effectively monitoring, measuring, managing, and reporting on cyber-risk?

What challenges and burdens would covered entities encounter in maintaining an internal and external dependency management strategy consistent with that described by the agencies?

How do the proposed internal and external dependency management standards compare with processes already in place at banking organizations?

What other approaches could the agencies use to evaluate a covered entity’s internal and external dependency management strategies?

How would the proposed standards for internal and external dependency management impact a covered entity’s use of a third-party service provider?

What is the extent to which it would be operationally and/or commercially feasible to comply with requirements to use certain defined data standards in order to increase the substitutability of third-party relationships to reduce recovery times for systems impacted by a significant cyber event?

How do covered entities currently evaluate their incident response and cyber resilience capabilities?

Comments on the ANPR are due by Jan. 17, 2017.