Fed, FDIC, OCC toughen up on FI cybersecurity

The Federal Deposit Insurance Corp., Federal Reserve and Office of the Comptroller of the Currency co-authored a new set of guidelines designed to protect critical banking infrastructure. Escalating cyberattacks combined with increasing dependence on connected technologies have raised threat levels across the banking sector, the agencies stated.

Their recommendations, published Oct. 19, 2016, are detailed in Enhanced Cyber Risk Management Standards, an advance notice of proposed rulemaking (ANPR) that addresses cyber risk, internal dependency and external dependency management, as well as incident response, cyber resilience and situational awareness.

The ANPR recommends a tiered approach to implementing the new security guidelines, directing its strictest policies to large financial institutions with total consolidated assets of $50 billion or more.

"A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector," the authors wrote. "The agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm."

New threat landscape

Increasing reliance on connected technologies in commercial and private sectors has raised threat levels across depository institutions, particularly the seven largest and most complex financial institutions, according to recent reports.

"As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks," the ANPR authors wrote. "Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences."

The authors additionally noted the expanded role of third-party service providers in financial services. "Third parties that provide payments processing, core banking, and other financial technology services to these participants in the financial sector also provide services that are vital to the financial sector," they wrote. They also recommended that third-party service providers and nonbank financial companies be held to the same rigorous standards and scrutiny as the financial institutions they serve.

Enhancing existing rules

The three-party cybersecurity initiative is designed to enhance existing regulatory guidance and oversight, of which there is no shortage in the financial services sector. The ANPR cites the following government agencies and guidelines tasked with protecting U.S. banking infrastructure:

  • Federal Financial Institutions Examination Council: The FFIEC has published a series of documents on cyber security, including the IT Handbook, which provides guidance to examiners on third-party service providers. Its Cybersecurity Assessment Tool is a voluntary assessment resource widely used by financial institutions.
  • National Institute of Standards and Technology: The NIST Cybersecurity Framework is a voluntary framework designed to improve communications, awareness, and understanding among IT professionals and senior executives. Its five core functions are: Identify, Protect, Detect, Respond, and Recover.
  • CPMI-IOSCO Principles for Financial Market Infrastructures: The existing guidelines, created in June 2016 by the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions, are further clarified in the ANPR by the original authors.
  • Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System: Jointly created by The Federal Reserve, the Office of the Comptroller of the Currency and the Securities and Exchange Commission, this paper is used as a point of reference in the ANPR. The paper focuses on minimizing systemic effects of wide-scale disruptions in critical financial markets.

Public comments welcome

Enhanced Cyber Risk Management Standards is available for public review and commentary until Jan. 17, 2017. The agencies are considering a variety of approaches, from policy statements to detailed regulations, to beef up existing regulatory and compliance frameworks.

The authors are encouraging the public to respond to the proposal during the open review period. They plan to publish pertinent feedback in a broader, more detailed report, followed by a second round of public review and consideration prior to a final ruling.