Menu
Banking Exchange Magazine Logo
Menu

Big banks to face tighter cyber expectations

“Sector-critical” entities would have tighter regulatory controls under new proposal

Big banks to face tighter cyber expectations

Acknowledging the increasing sophistication, threat, and speed of those who would disrupt the interconnectedness of large U.S. financial institutions, federal banking regulators took a first step in crafting a rule that would add enhanced cybersecurity risk oversight and preparations.

Worries spur federal action

At an FDIC board meeting to consider issuing an advance notice of proposed rulemaking on this issue, Comptroller of the Currency Thomas Curry said:

“In the face of these [cyber] threats, we must ensure that U.S. financial entities that provide critical services to the financial sector remain vigilant and resilient because a cyber incident that affects the safety and soundness of one entity may harm the safety and soundness of others, and could end up having systemic consequences.”

In a press briefing before the meeting, an agency official said: “By targeting the firms and systems at which a cyber event would likely impact other firms in the broader financial sector, we’re hoping to increase not just the resiliency of the firm but the entire U.S. financial sector.”

Proposal affects biggest banks

While open to comment on all aspects of this advance proposal, the agencies expect it to three categories:

• Depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more.

• U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more.

• Financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve.

Agency officials also said that the proposal would apply to third parties that provide critical, core services to covered financial entities.

As proposed the announcement specifically would not apply to community banks, said FDIC Chairman Martin Gruenberg. However, the enhanced rules would operate within existing information technology/cyber response requirements and examination guidelines.

Said an agency official: “This isn’t new. It shouldn’t come as a surprise to the industry. It’s more of a difference in focus, to increase the focus of senior management and directors, and to establish appropriate cyber risk management.”

The enhanced rules would be more prescriptive than existing requirements for smaller financial institutions, agency officials explained.

5 categories of cyber risk standards

As described by an FDIC official during the hearing, the contemplated rule would have five categories of standards:

Cyber risk governance—This would require a written cyber risk strategy approved by the board of directors. It would require cyber risk tolerances and risk appetite, also approved by the board of directors. It would establish a senior leader for cyber risk oversight independent of the business line management and with direct access to the entity’s board.

Cyber risk management—This would integrate three lines of defense: Business units, an independent risk management group, and the audit function.

Internal dependency management—This would assess the effectiveness of reducing cyber risk within internal dependencies and enterprise-wide. Also, it would maintain a current and complete awareness of all internal assets and business functions that support cyber risk management strategy.

External dependency management—This would integrate an external dependency management strategy into the overall strategic risk management plan to address cyber risk. It would identify and manage real-time cyber risk in external dependencies.

Incident response/cyber resilience and situational awareness—It would establish and maintain incident response plans, governance strategies, and the capacity to rapidly recover from a disruptive cyber event. It would establish protocols for secure offline storage of critical records, such as loan data, asset management account information, and daily deposit records, including balances and ownership details, in a data format to allow restoration by another institution or FDIC.

One of the few specifics in the advance proposal includes a requirement that sector-critical systems be recovered within two hours following a disruptive, corruptive, or destructive cyber event.

Such a recovery capability would need to be validated by testing. Also, it would be enabled by implementing “the most effective and commercially available controls,” the official said.

Curry emphasized the need for top-down awareness of cyber risk among the largest financial sector entities:

“The proposed standards require a covered entity to ensure that cyber risk management is sufficiently ingrained within its governance and management structures to remain effective during and after a cyber event,” he said.

Comments on this advance notice of proposed rulemaking are due Jan. 17, 2017. Access the announcement and a link to the proposal

 Exam Council updates cyber risk FAQ

In a separate action, but related to dealing with cyber risk, the FFIEC recently issued updated frequently-asked-questions related to its Cyber Assessment Tool.

While the tool’s use is voluntary, banking agencies have encouraged its use, or of something similar, so financial institutions of all sizes can gauge their vulnerability against cyber threats.

[During the meeting regarding the proposed enhanced requirements for the largest institutions, Curry said the proposal “complements the cyber security assessment tool and other cybersecurity initiatives of the federal banking agencies and the FFIEC.”]

The FAQ guide answers questions and clarifies points in the Assessment and supporting materials based on questions received by the FFIEC members over the course of the last year.

For example, one question asks simply: “What is the value of the Assessment to management?”

Answer: “By using the Assessment, management will be able to enhance its oversight and management of the institution’s cybersecurity by doing the following:

• Identifying factors contributing to and determining the institution’s overall cyber risk.

• Assessing the institution’s cybersecurity preparedness.

• Evaluating whether the institution’s cybersecurity preparedness is aligned with its inherent risks.

• Determining risk management practices and controls that are needed or require enhancement and actions to be taken to achieve the desired state.

• Informing risk management strategies.

Download cybersecurity assessment tool

Download updated FAQ

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected]

back to top

Sections

About Us

Connect With Us

Resources