WASHINGTON — A new plan by federal regulators that would require large banks to upgrade their cybersecurity standards again shows just how much the issue has grown as a principal threat to the global financial sector.
Just as running out of capital or liquidity can spark a crisis that puts a financial institution into a death spiral, a loss of control of sensitive data can lead to a reputational crisis and possibly have systemic consequences.
"There's really three things now that are very significant in the context of the life of a financial institution: a capital event, a liquidity event or a data breach," said Kevin Petrasic, a partner at White & Case who advises banks on cybersecurity matters.
As a result, banks appear likely to broadly support the new proposal, which was issued Wednesday by the Federal Reserve Board, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency.
"Generally speaking, a lot of what we've seen within the document … are things which our largest financial institutions already have under way," said Doug Johnson, the senior vice president and chief adviser in payments and cybersecurity policy at the American Bankers Association.
The plan would target only financial institutions with $50 billion or more in assets, requiring them to keep close tabs of their internal and external vulnerabilities, involve the board in cybersecurity decisions and establish offline storage capacity in order to protect critical data in the event of a large-scale breach.
Regulators said such measures were intended to curb systemic risk caused by the interconnectedness of the financial system.
"We must ensure that U.S. financial entities remain vigilant and resilient because a cyber incident that affects the safety and soundness of one entity may harm the safety and soundness of others and could end up having systemic consequences," said Comptroller of the Currency Thomas Curry.
It could also play in banks' favor by targeting the interconnected financial system — including third party providers and critical infrastructure entities like clearing houses .
The proposal "is broadly positive for the banks as it puts even more pressure on the sector to be cyber safe," said Jaret Seiberg, the managing director at Cowen Group, in a note to clients. "Our positive assessment holds even if it results in higher expenses as banks are forced to implement new safeguards."
Because the plan is at a very early stage, it is unclear how enforceable and prescriptive it will be; regulators offered three different degrees of flexibility for how it could be implemented.
The ABA's Johnson said this was one of the key questions banks would have to raise with regulators.
"It's up to us to demonstrate that the most effective …. governance process over cybersecurity is to give financial institutions an appropriate level of flexibility," he said.
Overall, the plan does go beyond existing standards, including those contained in the Federal Financial Institutions Examination Council's cybersecurity assessment tool, the National Institute of Standards and Technology cybersecurity framework and various agency guidelines.
The proposal "would give the regulators enforceable standards on cybersecurity, which are currently limited to" the cybersecurity standards laid out in the 2000 Gramm-Leach-Bliley Act, said Valerie Abend, a managing director at Promontory Financial Group and former top OCC official who spearheaded the agency's work on this proposal.
"It broadens the scope of the types of organizations that these potential enforceable standards would apply to, including third-party service providers," she said.
The plan could eventually become one of the main tools used by examiners to assess how well a firm is prepared for cybersecurity incidents.
"This is increasing the level of preparedness on the part of the bank," said Mitchell Glassman, a former FDIC director. "And I think it also is going to provide the regulators with a new way of looking at the institutions from a safety and soundness perspective that they'd never had before."
