Cheat Sheet: Regulators Target Interconnectedness in Sweeping New Cyber Plan

WASHINGTON -- Federal banking regulators issued a broad proposal Wednesday designed to counteract cybersecurity threats that could hit at the financial industry's critical junctures.

The proposed standards, which would apply to financial institutions with more than $50 billion of assets, would establish an ambitious and detailed framework governing cybersecurity governance and management, the handling of internal and external vulnerabilities and catastrophe planning.

The plan is specifically focused on banks' interconnectedness and fears that a breach at a single institution could quickly spur more at others.

"As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks," the plan says. "Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences."

The plan was released jointly by the Office of the Comptroller of the Currency, Federal Deposit Insurance Corp. and Federal Reserve Board.

Under the proposal, banks would have to take a number of steps, including:

  • Ensuring that a bank's board has "adequate expertise in cybersecurity" and the ability to "maintain access to personnel with such expertise." Cybersecurity executives would also need to have independence from a bank's top brass, as well as "direct independent access" to the board.
  • Maintaining three lines of defense for banks in terms of internal management. Those engaged in making business decisions would be required to evaluate the cybersecurity risks from the start. Companies would also be required to have an "independent risk management function," which would report to the Chief Risk Officer and board of directors on the management of the company's cybersecurity program. Additionally, banks must have an audit function which would assess whether a company's cybersecurity program is appropriate given its size and risk profile.
  • Monitoring all internal and external vulnerabilities on a continuous basis. Internally, the firms would have to maintain an inventory of business assets, and set up "appropriate controls" to protect them. The companies would also have to periodically review the cyber risks associated with its connections to third parties and "periodically test alternative solutions" in the event those entities fail to establish adequate cyber controls.
  • Planning for the worst. Banks would be required not just to prepare for potential cyber attacks, but they must also develop the capacities to maintain their "core business functions," even in the event of a power outage or other critical shock. Companies would be required to have their critical data -- including from financial records, loan and deposit data -- safeguarded in "secure, immutable, offline storage." The protected data should be formatted so that it could be restored by another financial institution, a service provider, or the FDIC "as receiver."

Additionally, some financial institutions "critical" to the industry – like clearing houses and large service providers -- would face even higher standards. Those entities would have to implement "the most effective, commercially available controls" and be able to regain control of their critical systems within two hours of an attack.
Regulators stressed that the proposed standards would not replace pre-existing policies and guidance. For example, it would not supersede the 1978 Uniform Rating System for Information Technology used by regulators to determine a firm's cyber risks, though it might add to it.

The plan is also less expansive than the National Institute of Standards and Technology's cybersecurity framework because it would only apply to the largest firms.

As enforceable standards, the proposal would have more teeth than the Federal Financial Institutions Examination Council's Cybersecurity Assessment Tool, which is voluntary. It would not affect the FFIEC's 2003 IT handbook, which sets standards for examiners reviewing financial institutions.

For reprint and licensing requests for this article, click here.
Bank technology Law and regulation
MORE FROM AMERICAN BANKER