The Board of Governors of the Federal Reserve System has recently indicated it may move forward with enhanced cybersecurity standards that had previously been floated by the Board, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) back in 2016. Specifically, in October 2016, the Board, the three entities issued a joint advance notice of proposed rulemaking (ANPR) on enhanced cybersecurity standards before deprioritizing it in 2017. While the OCC and the FDIC withdrew their ANPRs earlier this Spring, the Board may revive the issue this coming Fall.
Scope: The proposed standards would cover bank holding companies with $50 billion or more in total assets, financial market utilities, and nonbank systemically important financial institutions supervised by the Board (collectively referred to as “covered entities”). The Board is also considering whether to apply the standards to third-party service providers with respect to services they provide to covered entities as such service providers are often implicated (and are easy access points) in cyberattacks depending upon the nature of the services provided.
Enhanced Cybersecurity Standards: The enhanced standards would require covered entities to:
- Demonstrate effective cyber risk governance;
- Continuously monitor and manage their cyber risk;
- Establish and implement strategies for cyber resilience and business continuity in the event of a disruption;
- Establish protocols for secure, immutable, transferable storage of critical records; and
- Maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis.
Sector-Critical Standards: Additional, more stringent, standards would potentially apply to those entities that are deemed critical to the financial sector. A firm is critical to the financial sector if it consistently clears or settles at least five percent of the value of transactions in the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities, or corporate debt and equity securities.
Proposed sector-critical standards would require covered entities to:
- Implement procedures to get back online within two hours following a cyberattack; and
- Evaluate how protections they adopt would prevent hackers from gaining access to other firms in the financial system.
Cyber Risk Governance:Pursuant to the Board’s proposed cybersecurity standards, the boards of directors of covered entities will be responsible for approving and continuously monitoring and managing cyber risk levels. They will need to hold senior management accountable for establishing and implementing appropriate policies that integrate cyber risk management into at least three independent functions, e.g., three lines of defense:
- Business Units. The units responsible for the day-to-day business functions of a covered entity will be required to assess, on a regular basis, the cyber risks associated with every business asset such as their workforce data, technology, and facilities. Business units will need to ensure that this information is shared with senior management including the CEO so that senior management can address and respond to emerging cyber risks as they develop.
- Independent Risk Management. Covered entities will need to appoint a chief risk officer who, along with the board of directors, will oversee the independent risk management unit. This unit would be required to identify, measure, and monitor cyber risk across the enterprise to assess the completeness, effectiveness, and timeliness of risk reduction.
- Covered entities would be required to provide an evaluation of the adequacy of the organization’s compliance with applicable laws and regulations. Such evaluations would be required to include the entire security lifecycle, including penetration testing and other appropriate vulnerability assessment activities as part of the overall cyber risk management strategy.
The Board’s proposed enhanced cybersecurity standards, if implemented, would increase the operational requirements and potentially establish a new standard of cyber liability for larger financial institutions and their service providers. The standards would also require such covered entities, for the first time, to officially consider their own interconnectedness as a component of their cybersecurity planning. Entities potentially affected should be tracking the Board’s rule-making process and should act quickly to revise their policies and procedures to capture any new requirements introduced by the Board. The Board has set November 2019 as the date on which they expect to take further action.