August 4, 2021

Volume XI, Number 216


August 03, 2021

Subscribe to Latest Legal News and Analysis

August 02, 2021

Subscribe to Latest Legal News and Analysis

Federal Banking Regulators Propose Cyber Risk Management Standards

In the midst of growing concerns over cyber-attacks on U.S. companies, federal banking regulators announced a proposal to enhance and standardize cyber risk management standards across the banking industry. The Advance Notice of Proposed Rulemaking (ANPR) was jointly issued by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) on Wednesday, October 19, 2016.

The proposal details a planned regulatory scheme intended to help ensure resiliency in the face of a cyber-attack or adverse IT event, and to provide a practical framework for mitigating the potential consequences of an IT systems failure.

The proposed rules will apply to large financial institutions and "interconnected" entities that support operations throughout the information life cycle. Different tiers of restrictions will be developed depending on how critical a "covered entity" is to the financial institution’s ability to function. Rather than issuing a comprehensive set of rules, the proposal leaves many questions for industry stakeholders, who will have an opportunity to shape the potential rules during the public comment period, which closes on January 17, 2017.

Principles of the Proposal

The proposal sets out the following principles that could dramatically expand the reach of financial industry regulators in the area of cybersecurity risk.

Expanded applicability to financial institutions

The proposed rules are intended to apply to financial institutions that are critical to the financial sector, banking organizations with total consolidated assets of $50 billion or more, and third-party service providers. These standards apply enterprise-wide at covered entities. The regulation, however, will not apply to community banks.

Expanded applicability beyond financial institutions

Third-party service providers would have to comply with the same standards as covered entities. The intention is to help ensure the proposed standards are consistent across the IT systems of covered entities regardless of whether components of IT operations are performed in-house, by affiliates or by third-party service providers.

Tiered approach depending on criticality to the financial sector

Two sets of standards may be developed. The first set of enhanced standards would apply broadly to all systems of covered entities, and the second set of heightened "sector-critical standards" would apply to entities that pose a high level of risk to large institutions or are critical to the entire industry.

Sector-critical entities may have to significantly bolster security controls and incident response plans

There may be heightened requirements to implement and operationalize cybersecurity controls.

  • These entities may be required to establish a two-hour Recovery Time Objective (RTO) from a cyber event, and to validate the RTO with testing.

  • These enhanced obligations would apply to third parties with operations that supply “sector-critical” services.

Categories of standards will be issued

The framework established by the proposed rules will consist of the following categories of controls:

  • Cyber risk governance

  • Cyber risk management

  • Internal dependency management

  • External dependency management

  • Incident response, cyber resilience and situational awareness.

Impact of the New Regulations

This ANPR follows closely on the heels of a recently proposed New York State law that would require banks, insurance companies and other financial services institutions regulated by the State Department of Financial Services (DFS) to establish and maintain a cybersecurity program. The impact of these new regulations will certainly extend to companies that were previously not subject to stringent cybersecurity regulations. The final form has yet to be issued, but there is no doubt that regulators are paying closer attention than ever to cybersecurity and privacy.

© 2021 Wilson ElserNational Law Review, Volume VI, Number 305

About this Author

Gregory Bautista, Wilson Elser, Civil Litigation Lawyer, Data Privacy matters Attorney

Gregory Bautista is an experienced civil litigator with a focus on data breach response. He is keenly aware of the growing importance of assisting clients in developing and implementing data security risk management measures related to the receipt and use of highly sensitive and confidential data. Greg provides his clients with knowledge and guidance on information governance and e-discovery matters. He has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy.