More regulators (apart from the FTC) are now taking note of cybersecurity issues in the financial services industry and are taking steps to protect the industry and its consumers.
Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) issued its first enforcement action on data security against an online payment system. In June, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body, issued a press release advising financial institutions to review their risk-management practices. Last month, the New York State Department of Financial Services (“NYDFS”) proposed a state-level regulation that required banks, insurance companies and other financial services entities to have cybersecurity programs.
Along similar lines, on October 19, 2016, the Board of Governors of the Federal Reserve System (“Board”), the Office of the Comptroller of the Currency (“OCC”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies”) issued a joint advance notice of proposed rulemaking (“ANOPR”), titled “Enhanced Cyber Risk Management Standards,” that would constitute a marked expansion of the Agencies’ cybersecurity regulations. The proposed rules, which would apply a robust set of cyber risk management standards to large jurisdictional entities, are premised on the notion that “the interconnectedness of the U.S. financial system” means that “a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.” Below is an overview of the content of the ANOPR. The Agencies are requesting comments on all aspects of the ANOPR by January 17, 2017.
The Agencies are considering applying the new requirements on an enterprise-wide basis to large jurisdictional institutions, specifically those with total consolidated assets of $50 billion or more, as well as “third-party service providers with respect to services provided to depository institutions and their affiliates that are covered entities (covered services).” This would include, for example, bank holding companies, U.S. operations of foreign banking organizations, savings and loan holding companies, nonbank financial companies supervised by the Board, national banks, federal savings associations, state nonmember banks, and more. These covered entities would need to apply the new “enhanced standards” to all systems at the enterprise.
The Agencies are also considering a second tier of enhanced standards, which would apply to so-called “sector-critical systems,” which are systems that are “critical to the financial sector.” The Agencies are considering defining these systems as those “that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities, and corporate debt and equity securities,” as well as “systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in other markets (for example, exchange-traded and over-the-counter derivatives), or that support the maintenance of a significant share (for example, five percent) of the total U.S. deposits or balances due from other depository institutions in the United States.” The Agencies are also considering additional factors that could cause a system to be considered “sector-critical,” such as substitutability and interconnectedness.
The enhanced cyber risk standards fall under these five main categories:
(a) Cyber risk governance;
(b) Cyber risk management;
(c) Internal dependency management;
(d) External dependency management;
(e) Incident response, cyber resilience, and situational awareness.
The Agencies are also seeking comment on the appropriate regulatory approach. They have identified three major regulatory approaches as follows:
(1) Introduce standards as a combination of a regulatory requirement to maintain a risk management framework for cyber risks along with a policy statement or guidance that describes minimum expectations for the framework, such as policies, procedures, and practices commensurate with the inherent cyber risk level of the covered entity.
(2) Impose specific cyber risk management standards. For example, the standards could require covered entities to establish a cybersecurity framework commensurate with the covered entity’s structure, risk profile, complexity, activities, and size and has standards for the five categories of cyber risk management as outlined above.
(3) Impose a framework that is more detailed than the second approach above. As with the second approach, the regulation could contain standards for the five categories of cyber risk management. However, in contrast to the second approach, the regulation would include details on the specific objectives and practices a firm would be required to achieve in each area of concern in order to demonstrate that its cyber risk management program can adapt and evolve according to the environment.
The Agencies are requesting comments on all aspects of the ANOPR by January 17, 2017.
For a more in-depth analysis of the ANOPR, see our Cyber Alert on it here.