Oct 252016

Federal Banking Agencies Request Comment on Enhanced Cyber Risk Management Standards

David E. Teitelbaum, Joel D. Feinberg and Stanley J. Boris
, , , , , ,

On Oct. 19, the Board of Governors of the Federal Reserve System (the Board), the Office of the Comptroller of the Currency (the OCC) and the Federal Deposit Insurance Corporation (the FDIC, and collectively with the Board and the OCC, the Agencies) issued a joint advanced notice of proposed rulemaking (ANPR) inviting comment regarding enhanced cyber risk management standards for large and interconnected entities under their supervision and those entities’ service providers. As financial technology continues to advance, the largest, most complex financial institutions have relied more and more on technology to carry out their banking activities and to provide critical services to the financial sector and the U.S. economy. In the event of a cyber attack on a covered entity, the ANPR is intended to enhance the covered entity’s ability to continue to function and to reduce the overall impact on the financial system resulting from interconnectedness.

The Agencies have existing supervisory programs with general expectations for cybersecurity practices at depository institutions, their holding companies and third-party service providers. The enhanced standards that would eventually result from the ANPR would be integrated into the existing framework by establishing enhanced supervisory expectations for the entities and services that potentially pose heightened cyber risk to the safety and soundness of the financial sector. The Agencies also are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on those entities critical to the functioning of the financial sector. The ANPR is structured as a discussion of proposals that the Agencies are considering along with specific questions for which the Agencies are seeking input. Comments on the ANPR are due by Jan. 17, 2017.

Scope of Application

The Agencies are considering applying the enhanced standards enterprisewide to certain entities with total consolidated assets of $50 billion or more. The enhanced standards would apply to U.S. bank holding companies, savings and loan holding companies, and federal- and state-chartered banks and savings associations, in each case that meet or exceed the asset threshold, and U.S. operations of foreign banking organizations (with total U.S. assets of $50 billion or more). Additionally, the Agencies are considering whether to extend the enhanced standards to nonbank financial institutions supervised by the Board and designated financial market utilities and other financial market infrastructure over which the Board has primary supervisory authority because they are members of the Federal Reserve System. Furthermore, the Agencies are considering whether to apply the enhanced standards directly or via contract to third-party service providers with respect to services provided to depository institutions and their affiliates that are covered entities.

Enhanced Cyber Risk Management Standards

The enhanced standards would emphasize the need for covered entities to (1) demonstrate effective cyber risk governance; (2) continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; (3) establish and implement strategies for cyber resilience and business continuity in the event of a disruption; (4) establish protocols for secure, immutable, transferable storage of critical records; and (5) maintain continuing situational awareness of their operational status and cybersecurity posture enterprisewide. The standards would be organized into five categories: cyber risk governance; cyber risk management; internal dependency management (i.e., management of business assets upon which an entity depends to deliver services); external dependency management (i.e., management of an entity’s relationships with outside vendors, suppliers, customers, utilities and other organizations upon which an entity depends to deliver services and the interconnections of the entity and those parties); and incident response, cyber resilience and situational awareness.

Notably, as part of the external dependency management standard, the Agencies are considering a requirement that covered entities have the ability in real time to monitor all external dependencies and trusted connections enterprisewide and to prioritize them based on their criticality to the business functions they support, the firm’s mission and the financial sector. Also, as part of the incident response, cyber resilience and situational awareness standard, the Agencies could include a requirement that covered entities establish plans and mechanisms to transfer business, where feasible, to another entity or service provider with minimal disruption and within prescribed timeframes if the original covered entity or service provider is unable to perform.

Sector Critical Systems

As discussed above, the Agencies are considering establishing a two-tiered approach to implementing the enhanced standards: The general enhanced standards would apply to all systems of covered entities, and an additional, higher set of expectations, referred to as “sector-critical standards,” would apply to those systems of covered entities critical to the financial sector. As part of the sector-critical standards, the Agencies are considering requiring covered entities to establish a recovery-time objective of two hours for their sector-critical systems to recover from a cyber event. The Agencies are considering whether to include the following systems within the scope of sector-critical standards:

  • systems that support the clearing or settlement of at least 5 percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity
  • systems that support the clearing or settlement of at least 5 percent of the value of transactions (on a consistent basis) in other markets (e.g., exchange-traded and over-the-counter derivatives)
  • systems that support the maintenance of a significant share (e.g., 5 percent) of the total U.S. deposits or balances due from other depository institutions in the United States.

Implementing the Enhanced Standards

The Agencies are considering three possible approaches to implement the enhanced standards. In particular, they could do so as a combination of regulatory requirements along with a policy statement or guidance, as regulations that impose specific cyber risk management standards or as a more detailed regulatory framework, including specific objectives and practices.

David E. Teitelbaum

Washington, D.C.

dteitelbaum@sidley.com

Joel D. Feinberg

Washington, D.C.

jfeinberg@sidley.com

Stanley J. Boris

Washington, D.C.

sboris@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.