March 23, 2019

March 22, 2019

Subscribe to Latest Legal News and Analysis

March 21, 2019

Subscribe to Latest Legal News and Analysis

March 20, 2019

Subscribe to Latest Legal News and Analysis

Financial Stability Oversight Council identifies cybersecurity as primary area of risk for the banking industry

On December 14, the Financial Stability Oversight Council (FSOC), which was established by the Dodd-Frank Act to analyze and mitigate potential threats to the financial sector, released its first report under the Trump administration (the “Report”).  FSOC is comprised of representatives from each of the federal financial regulators, including the CFPB.  Mick Mulvaney, President Trump’s designee as CFPB Acting Director, signed the report on behalf of the CFPB.

Among other risk areas discussed in the Report, the FSOC identifies cybersecurity as the first area of risk to be addressed by financial institutions.  The FSOC also calls on the federal financial regulatory agencies and the Treasury Department to ensure that banking institutions and third parties are adequately safeguarding against cyber intrusions.  Specifically, the Report urges improvement in the following areas:

  • Executive Oversight. The FSOC “underscores the necessity of sustained senior-level attention on cybersecurity risks and their potential systemic implications.”  To that end, the FSOC recommends the creation of a council of senior executives that would be focused on cybersecurity issues and responsible for liaising with regulators.

  • Information Sharing. In order to develop a better understanding of operational risks, improve risk-mitigation efforts, and enhance the financial sector’s security and resilience, the FSOC encourages the sharing of threat information and known vulnerabilities among government agencies and between the public and private sectors.

  • Cybersecurity Standards. The FSOC recommends that financial regulators establish a “harmonized risk-based approach” when addressing cybersecurity among financial institutions, including utilizing the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework) and developing a common lexicon when discussing these issues with regulated companies.  The Report notes that a common lexicon should be created within both the domestic and international financial sectors, and points to the approaches of other G7 countries for instruction.

  • Third-party Service Providers. The FSOC encourages financial institutions to address cybersecurity risks related to third-party service providers and adopt the use of appropriately tailored language in vendor contracts.

  • Coordination of Response and Recovery Processes. The Report states that the Financial and Banking Information Infrastructure Committee (FBIIC) should continue to promote processes to strengthen response and recovery efforts while working closely with the Department of Homeland Security (DHS), law enforcement, and industry partners to carry out regular cybersecurity exercises.

Financial institutions and their service providers should enhance their cybersecurity protocols to address the Report’s recommendations.  Based on the Report, we suggest that companies, at a minimum, consider preparing Board presentations that appropriately discuss the legal risks associated with cybersecurity, implementation of the NIST Framework as appropriate, and incorporation of cybersecurity provisions into vendor contracts.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Pavitra Bacon, Ballard Spahr Washington DC office, consumer financial services, regulatory compliance  class action litigation, government enforcement matters attorney
Associate

Pavitra Bacon counsels providers of consumer financial services, including banks, on regulatory compliance matters, and has successfully represented such providers in class action litigation and government enforcement matters. She advises clients on multifaceted regulatory issues related to student lending, mortgage origination and servicing, lender-placed insurance, information privacy, and credit cards. Her practice focuses on federal and state consumer protection laws, including the Truth-in-Lending Act (TILA); the Telephone Consumer Protection Act (TCPA); the Equal Credit Opportunity...

202.661.2295