On October 19, 2016, the Board of Governors of the Federal Reserve System (Board), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Agencies) issued an Advanced Notice of Proposed Rulemaking (ANPR) regarding enhanced cyber risk management standards for “large and interconnected” banking organizations and financial institutions. The ANPR does not propose specific standards; rather, it details various proposals and concepts under consideration by the Agencies and solicits both general feedback and specific input on certain aspects of the framework envisioned by the Agencies. Comments on the ANPR must be submitted to the Agencies by January 17, 2017.

Background

Although the Agencies’ proposals are rooted in existing information technology requirements and guidance, the ANPR serves as an example of regulators’ heightened awareness of and sensitivity to the cyber risk posed to the financial sector, market participants, and consumers. For example, in September, the Federal Financial Institutions Examination Council (FFIEC) updated its Information Technology Handbook to incorporate revised examination expectations with respect to information security. Shortly thereafter, the New York State Department of Financial Services (DFS) published a notice of proposed rulemaking building upon the FFIEC’s cybersecurity examination expectations that would impose cybersecurity-related requirements upon DFS-regulated entities.¹ And very recently, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) published guidance on financial institutions’ reporting of cyber events in connection with their submission of Suspicious Activity Reports (SARs), as required under the Bank Secrecy Act and FinCEN’s Anti-Money Laundering regulations.

The New York DFS proposal and the FinCEN guidance share certain concepts with the new ANPR, such as the importance of information-sharing and collaboration, both internally among compliance units and information security personnel and between interconnected financial institutions. These commonalities appear to reflect a collective awareness amongst regulators regarding the special circumstances of cybersecurity regulation in the financial sector. As the broadest of the three in applicable scope, the ANPR clearly signals the Agencies’ interest in developing binding, comprehensive cybersecurity standards that would likely exceed any existing standards to which banking organizations and financial institutions currently conform.

Scope

The enhanced cyber risk management standards described in the ANPR would apply on an enterprise-wide basis to banking organizations and financial institutions with US$50 billion or more in total consolidated assets—including, among others, US depository institutions, federal savings associations, bank holding companies and savings and loan holding companies, US operations of foreign banking organizations, and certain nonbank entities, such as nonbank financial companies subject to enhanced supervision and prudential standards under Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), financial market utilities designated as systemically important by the Financial Stability Oversight Council (FSOC), and financial market infrastructures for which the Board exercises primary supervisory authority.

While proposing that these larger entities be the “Covered Entities” subject to the new cybersecurity standards, the Agencies also are seeking comments on whether it might be appropriate to determine the scope of coverage according to the number of connections that a particular entity, its affiliates and third-party service providers have with other entities throughout the financial sector—as opposed to doing so based on asset size. Additionally, the Agencies are considering whether the enhanced cyber risk management standards should apply directly to any third-party service provider of a Covered Entity, rather than placing oversight responsibility for service providers on the Covered Entity itself, in an effort to ensure consistent application and oversight of such standards regardless of whether the Covered Entity or a third-party service provider performs a relevant operation.

Overview of Proposals under Consideration by the Agencies

The approach advanced by the Agencies in the ANPR is tiered, with certain enhanced cyber risk management standards applying to Covered Entities generally and a more stringent set of standards and expectations applying to Covered Entities with “sector-critical systems.”

The ANPR discusses five potential categories of enhanced cyber risk management standards:

Cyber Risk Governance. The ANPR proposes to require a enterprise-wide cyber risk management strategy. This strategy would be incorporated into the overall risk management framework for each Covered Entity after being approved by the Entity’s directors and/or senior management. Establishing appropriate cyber risk tolerances based on a Covered Entity’s risk appetite and business strategy and objectives would be an important component of this strategy, as would the implementation of consistent policies, procedures, and reporting structures.

The ANPR suggests that a substantial amount of oversight by a Covered Entity’s directors, officers, and/or senior management would be required as part of the implementation and maintenance of a cyber risk management strategy. To carry out this function, the Agencies suggest that Covered Entities’ directors, officers, and senior managers would be required to possess adequate expertise or, alternatively, to devote resources to dedicated personnel with such expertise. The Agencies are also considering an independence requirement as part of this oversight function. This would require senior managers with oversight duties to be provided with direct, independent access to the Covered Entity’s directors and officers.

The extent to which a Covered Entity’s directors, officers or senior managers would be required to certify compliance with any future rule requirements or could be held liable for a failure to comply is not made clear in the ANPR. However, the Agencies’ apparent consideration of extensive and detailed director- and management-level oversight obligations suggests that such certification requirements and liability may be a part of the anticipated proposed rulemaking.

Cyber Risk Management. To promote high-level cyber risk management, the Agencies are considering requiring (i) each of a Covered Entity’s business units to assess the potential cyber risk and vulnerabilities associated with such unit’s business assets, services, and information technology connection points, (ii) the incorporation of enterprise-wide cyber risk management into the Covered Entity’s independent risk management function, and (iii) the Covered Entity’s audit function to assess separately whether its cyber risk management framework conforms to applicable laws and regulations at both the enterprise and business unit levels.

Internal Dependency Management. “Internal dependency” refers to the business assets of a Covered Entity, such as its personnel, data, technologies, and facilities. The Agencies are considering requiring Covered Entities to continually assess the cyber risks associated with its internal dependencies and to improve its effectiveness in mitigating such risks on an ongoing basis. The ANPR notes that, as part of this requirement, Covered Entities may be tasked with maintaining an inventory of all business assets on an enterprise-wide basis prioritized according to each asset’s import to the business function it supports and to the Entity’s overall business objectives—as well as designing and applying appropriate controls to each asset in accordance with its level of priority.

External Dependency Management. “External dependency” refers to a Covered Entity’s relationships with external vendors, suppliers, customers, and other outside organizations upon which the Covered Entity relies for services and information. The Agencies are considering requiring Covered Entities to continually evaluate and, as needed, mitigate the cyber risks posed by external dependencies and associated interconnection risks, including requiring an assessment and prioritization of external dependencies and connections across every business function, similar to that which is described above with respect to internal dependencies. In this regard, it is significant that entities in various sectors, including pharmaceutical/life sciences, defense and civilian agency contracting, consumer products and services, and public companies are increasingly subject to cybersecurity requirements and their compliance with these requirements may factor into a Covered Entity’s external dependency risk mitigation activities.

In addition, the ANPR notes that the Agencies may require Covered Entities to apply specific controls to address the cyber risks posed by each external entity upon whom the Entity is reliant throughout the lifespan of the entities’ relationship. This would require continual evaluation of such controls to ensure that evolving threats are appropriately addressed.

Incident Response, Cyber Resilience, and Situational Awareness. Most entities that would be Covered Entities under the contemplated standards presumably have some form of cybersecurity incident response plan in place. The Agencies seek to enhance such plans by requiring Covered Entities to design their governance systems so as to better identify and mitigate cyber risks posed through interconnectedness, in an effort to prevent “cyber contagion.” According to the ANPR, Covered Entities’ cyber resilience and incident response systems would be required to be highly dynamic. For example, the Agencies are considering requiring such systems to include escalation protocols that are linked across the enterprise to applicable cyber contagion containment procedures and communications strategies. In addition, systems would be required to feature processes for incorporating adjustments resulting from cyber event experiences. The Agencies note that relevant strategies would be required to be implemented in order achieve institutional and sector-wide resilience, while also limiting risks to and from interconnected third parties.

The ANPR also discusses the importance of record preservation in the event of a significant cyber event and notes that the Agencies are therefore considering the necessity of specific protocols for Covered Entities with respect to secure offline storage of critical records and the efficient transfer of business to another entity or service provider.

The Agencies are of the view that the interconnectedness of the financial markets and essential systems utilized by financial institutions operating within those markets creates a susceptibility to cyber risk that could have significant effects on the safety and soundness of the financial sector. Accordingly, in addition to the enhanced cyber risk management standards discussed above, the Agencies are considering proposing more stringent standards applicable to Covered Entities with “sector-critical” systems.

To identify which systems are “sector-critical,” the Agencies suggest relying in part on prior interagency interpretations of related terms, such as “critical financial market” and “firms that play a significant role” in such markets, in an effort to measure the significance of certain systems in the sectors contemplated by the ANPR. Under an existing relevant interpretation, any firm that consistently clears or settles at least five percent of the value of transactions in a “critical” market is “significant” in that market. The Agencies are considering whether systems that support such a volume of transactions in one or more of the markets for federal funds, foreign exchange, commercial paper, US government securities, or corporate debt and equity securities, among others, should be considered “sector-critical systems.”

The ANPR also notes that the disruption of certain systems that provide a key functionality to the financial sector may result in significant adverse sector-wide effects if such systems lack compatible substitutes. Similarly, according to the ANPR, the disruption of a system that serves as an important connecting point for other financial sector systems might produce comparable effects. The Agencies are therefore evaluating the extent to which factors such as these, namely, a system’s substitutability and interconnectedness, should also be accounted for in determining the meaning of “sector-critical.”

Considerations for Covered Entities

The ANPR raises a number of questions and considerations for those institutions that would be “Covered Entities” and also for third-party service providers of such Covered Entities. For example:

• If formally proposed, should the requirements described in the ANPR be applied to all federally-insured financial institutions, rather than simply “large and connected” financial institutions?
• Should the scope of coverage of the ANPR be based less on asset size and more exclusively on the number of connections that a particular entity, its affiliates, and third-party service providers have with other entities throughout the financial sector?
• Will Covered Entities be able to evaluate their interconnectedness and the sector-criticality of their systems sufficiently, and to design a governance system with corresponding policies and procedures, in a comprehensive but efficient manner?
• Is direct application of the ANPR to third-party service providers an appropriate method for holding such entities accountable for compliance, and would the application of the requirements of the ANPR to third-party service providers have an adverse impact on Covered Entities’ ability to receive certain services?
• How practicable might it be for any given Covered Entity to create cyber resilience and incident response systems that properly account for externalities that are dynamic and sector-wide?
• Would voluntary conformance to the National Institute of Standards and Technology (NIST) cybersecurity framework, for example, or the ongoing use of the FFIEC Cybersecurity Assessment Tool better position Covered Entities to comply with the ANPR?
• Will directors and senior managers of Covered Entities be required to possess some specified and identifiable level of information technology expertise? If so, will such individuals be held responsible for certifying compliance, as is contemplated under the proposed rulemaking issued by the New York DFS?
• Would the adoption of the ANPR create a need for financial institutions to revisit and rebuild existing, broader risk management systems and processes—including the addition and/or restructuring of compliance and information security personnel?

These and other questions merit serious consideration, and could be important issues to raise in comments responding to the ANPR.