New bank resiliency guidance tackles cyber-risk, pandemic planning

The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation on Friday issued “Sound Practices to Strengthen Operational Resilience” in an attempt to “enhance the ability of firms to prepare, adapt, withstand, and recover from disruptions and to continue operations,” the guidance said.

The guidance is targeted at large U.S. banks with more than $250 billion in total consolidated assets, as well as smaller banks with $100 billion that are considered “complex” because they have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure. Large foreign financial institutions with a U.S. footprint as large or complex as those described should also take note, the regulators said.

While the guidance “bring[s] together existing regulations and guidance as well as common industry standards to provide a comprehensive approach” to operational resilience, it does not represent new regulations, the agencies said in an explanatory note. The regulators said they plan to hold regular public discussions on the guidance later this year and in 2021.

The agencies define operational resilience as “the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard.” Good operational resilience allows financial institutions to respond, adapt, recover, and learn from threats and incidents, so they can prioritize and deliver critical operations and core business lines through a disruption.

The guidance addresses seven areas large banks should address to improve their operational resiliency: governance, operational risk management, business continuity management, third-party risk management, scenario analysis, information system management, and surveillance and reporting. There is an addendum on sound practices for cyber-risk management that expands upon the guidance in these seven areas to provide targeted advice on the topic.

Identification of risks that could cause disruptions is key, the agencies said, as is measuring a firm’s ability to handle disruptions potentially caused by those risks. The disruption risks should be clearly outlined to the firm’s senior management, monitored carefully, and adjusted regularly.

The agencies recommend banks increase assessment and monitoring of potential disruption risks caused by third parties and adjust contracts so it is clear what the financial institution’s risk profile is, its tolerance for disruption, and sets “benchmarks for monitoring a third party’s ability to continue to deliver services during disruptions.”

Not only should a firm have business continuity plans in place that have the support of senior management, but firms need to test those plans thoroughly. Business continuity plans should identify “potential risk transmission channels, concentrations, and vulnerabilities by analyzing the interconnections and interdependencies within and across its critical operations and core business lines considering third-party risks,” the guidance states.

The agencies recommend that a firm “encrypts data used in the delivery of critical operations and core business lines” and creates backups of critical data “and regularly tests those backups for completeness and reliability.” Firms should have monitoring systems in place that detect a breach quickly and strong policies and procedures for dealing with the breach as it happens and afterwards.