Both federal and state officials recently proposed new regulations aimed at the financial sector in an effort to promote protection against high-impact technology failures and cyberattacks.
FDIC, Federal Reserve System, and Office of the Comptroller of the Currency
On October 19, 2016, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve System (the Fed) and the Office of the Comptroller of the Currency (OCC) collectively issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks and bank holding companies with assets totaling more than $50 billion. The proposed rules would also extend to nonbank financial companies and financial market utilities supervised by the Federal Reserve Board of Governors, and third parties that provide services to covered entities. Public comments to the proposed rulemaking must be received by January 17, 2017.
The proposed federal regulations would mandate that subject entities institutionalize certain cyber risk management standards in these areas:
- cyber risk governance;
- cyber risk management;
- internal dependency management;
- external dependency management; and
- incident response, cyber resilience and situation awareness.
The standards would be tiered, with more stringent standards for systems that provide key functionality to the financial sector.
The goal of the proposal is "increasing [financial institutions'] operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities," according to FDIC Chairman Martin Gruenberg.
Specifically, the agencies are considering requiring that covered entities develop board-approved cyber risk management strategies, with senior management held accountable for establishing and implementing policies consistent with the strategies. The agencies also have proposed requiring covered entities to regularly analyze and address the cyber risks of relationships with third-party service providers, and periodically test alternative solutions if the third party fails to perform as expected. Additionally, as part of an effort to minimize business disruption, the agencies are considering regulations requiring protocols for secure, immutable, off-line storage of critical records, and specific testing to address potential threats.
While the three agencies involved already examine entities' information security practices during regular supervisory reviews, the new standards are intended to strengthen cybersecurity practices and therefore reduce the potential harm on the U.S. financial system from a cyberattack or major IT failure.
New York's Department of Financial Services Proposed Regulations
The New York Department of Financial Services (DFS) has issued a proposed set of regulations requiring that all entities licensed or registered under New York banking, insurance or financial services laws, including state-licensed banks, insurance companies, private bankers, licensed lenders, mortgage companies and state-licensed offices of non-U.S. banks, assess their cyberattack risk profiles, and implement mandatory cybersecurity policies and programs. Certain smaller institutions would be exempted. If adopted, the regulations are expected to be incorporated into final regulations taking effect January 1, 2017. Firms covered by the regulation would have 180 days to comply.
Under the proposed DFS regulations, covered institutions must comply with a number of comprehensive requirements, including:
- Appointing a chief information security officer (which may be met using third-party service providers under certain conditions);
- Implementing a written cybersecurity policy that addresses, at a minimum, enumerated areas, including data governance and classification, access controls and identity management, business continuity and disaster recovery, systems and network security and monitoring, customer data privacy, vendor and third-party service provider management, and incident response;
- Penetration testing information systems at least annually, and conducting vulnerability assessment at least quarterly;
- Conducting annual risk assessments;
- Implementing written policies designed to ensure security of third-party access to information systems and nonpublic information;
- Limiting data retention;
- Encrypting all nonpublic information held or transmitted by the covered institution;
- Establishing a written incident response plan;
- Annually certifying compliance to DFS (beginning in January 2018);
- Notifying DFS within 72 hours of learning of any cybersecurity event that has a reasonable likelihood of materially affecting the normal operation of the covered institution's business, or that affects nonpublic information (including any attempt – whether successful or unsuccessful – to gain unauthorized access to, disrupt or misuse the covered institution's information systems or information stored on such systems).
Many requirements under the proposed federal and New York regulations reflect best practices and are consistent with existing guidance. Covered institutions should evaluate the impact these regulations may have on their existing cybersecurity governance and management practices, and consider taking steps to bring their policies and practices into alignment with the proposed regulations. However, because neither of these proposed set of regulations have been adopted to date, the final contours of each are unknown. We will continue to monitor the status of these proposals and their potential impact on affected companies.