Federal Bank Regulators Announce Plans to Propose New Cybersecurity Requirements

Practical Law Legal Update w-004-1007 (Approx. 4 pages)

Federal Bank Regulators Announce Plans to Propose New Cybersecurity Requirements

by Practical Law Finance

Published on 26 Oct 2016 • USA (National/Federal)

In an advanced notice of proposed rulemaking, the federal banking regulators announced that they were considering implementing more stringent cybersecurity measures, which would include specific requirements to ensure the security of individual banks as well as the financial sector as a whole.

On October 19, 2016, in an advanced notice of proposed rulemaking, the federal banking regulators announced that they were considering implementing more stringent cybersecurity measures, which would spell out specific requirements to ensure the security of individual banks as well as the financial sector as a whole. The announcement followed a recent announcement by the New York Department of Financial Services proposing enhanced cybersecurity standards for its financial institutions, demonstrating a trend in increased scrutiny over banks' cybersecurity programs (see Legal Update, NYDFS Issues Proposed Cybersecurity Regulations for the Financial Industry). For more information on existing cybersecurity requirements, see Article, Cybersecurity for Banks: The Legal and Regulatory Framework.

The agencies are considering applying the enhanced standards to large banks and bank holding companies with total consolidated assets of $50 billion or more.

The standards would also apply to the US operations of foreign banking organizations with total US assets of $50 billion or more. The agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm. In addition, the enhanced standards would apply to third-party vendors with respect to services provided to covered institutions.

The enhanced cybersecurity standards would be organized into five categories:

Cyber risk governance. Cyber risk governance involves developing and maintaining a formal cyber risk management strategy, including a framework of policies and procedures to implement the strategy that is integrated into the overall strategic plans and risk governance structure of the entity. This would include identifying inherent cyber risks, determining how the entity plans to maintain an acceptable level of residual risk, and establishing enterprise-wide cyber risk appetites consistent with the nature and operations of the entity.
Cyber risk management. Banks would be required to integrate cyber risk management responsibilities into three independent functions:
- individual business units, which would be required to identify and address risk on an ongoing basis, and convey areas of risk that need to be addressed to senior management;
- independent risk management, which would be required to analyze cyber risk at the enterprise level and implement programs and policies that reflect emerging risks; and
- audit, which would evaluate risk management, internal controls, and governance process.
Internal dependency management. Internal dependence management refers to the effective identification and management of cyber risks in the business assets of a covered entity (workforce, data, technology, and facilities). This includes having current awareness of all internal assets and business functions that support cyber risk management, as well as an inventory of all business assets on an enterprise-wide basis that are prioritized according to the assets' criticality to the business functions they support.
External dependency management. External dependency management refers to an entity's relationship with outside vendors, suppliers, customers, utilities, and other external organizations and service providers. Entities would be required to integrate an external dependency management strategy into the overall strategic risk plan to reduce cyber risks. This would include updating that risk strategy periodically and when necessary, as well as ensuring the ability to monitor, in real time, external dependencies and trusted connections that support the entity's risk management strategy.
Incident response, cyber resilience, and situation awareness. This category is designed to ensure that entities plan for, respond to, contain, and rapidly recover from disruptions caused by cyber incidents. Entities would be expected to operate critical business functions during cyber-attacks and continuously enhance and augment their security programs to respond to new types of attacks. This would include preserving critical records in large-scale or catastrophic events, by, among other things, providing for secure, immutable, off-line storage of critical records. In the event of an entity not being able to continue operations, the requirements may include the creation of plans to transfer critical services to another entity.

The proposal includes two different standards, with heightened requirements applied to systems of covered entities that are critical to the functioning of the financial sector. The agencies are considering requiring that covered entities minimize cyber risk to sector-critical systems by, among other things:

Implementing the most effective, commercially available controls.
In the event of disruptive or destructive cyber events, establish recovery time objective of two hours for sector-critical systems.

The agencies may implement the enhanced standards using policy statements, comprehensive regulations, or a combination of the two. Specific questions are posted by the announcement, and any answers to or comments on the announcement are required by January 17, 2017.

Federal Bank Regulators Announce Plans to Propose New Cybersecurity Requirements | Practical Law