Everyone is increasing the attention of cybersecurity given the continued parade of hacking incidents. Just last week, the three main prudential regulators for financial institutions—Office of the Comptroller of the Currency (OCC), Federal Reserve Board (FRB), and Federal Deposit Insurance Corporation (FDIC)—released new proposed cybersecurity risk mitigation standards called, Enhanced Cyber Risk Management Standards.
Cybersecurity is a critical aspect of all global financial transactions as the financial sector operates through a network of interrelated markets and financial participants that are in every country.
With the release of proposed federal guidance applicable to financial institutions (FIs), the OCC, FRB, and FDIC are signaling that the nation’s largest FIs—those with over $50B in assets—are not doing enough in the way of protecting the financial ecosystem. These are just proposed guidelines and the regulators will accept comments and feedback until January 17, 2017, but this guidance is designed to enhance cybersecurity risk management standards for risk management, governance, operational resilience, and reconstitution efforts post-attack.
While FIs generally have more rigor around their cybersecurity risks and control frameworks, the continued hacks and breaches against the likes of DNC, Anthem, Target, OMB have shaken the foundational core of cyber controls and overall cybersecurity effectiveness. The proposed guidance emphasizes: increased controls and measured effectiveness, cyber resiliency that presupposes hacks and interruptions of service will occur and focus on remediation and getting services restored, and governance that starts and stops at the Board’s front doorstep.
Specifically, the guidance calls for financial institutions to focus on five areas:
1. Cyber risk governance — having a written cybersecurity program, risk appetite established by the executive management and Board, a risk management framework, and accountability.
2. Cyber risk management — aligning business line risk efforts, establishing enterprise-wide risk management reporting to Board and Chief Risk Officer, and ensuring a robust audit function
3. Internal dependency management — continually assessing and improving cyber risk management.
4. External dependency management — ensuring relationships with third-party providers are as secure as the controls within the bank and placing an onus on the bank for these risks.
5. Incident Response, cyber resilience, and situational awareness — ensuring the organization has baked in cyber resilience against attacks, recovery time objectives, an enhanced ability to recover from disruptions, and situational awareness of all cybersecurity threats to the FI.
As it relates to governance, assigning the Board an increased level of responsibility and accountability is the most significant enhancement in the standard and perhaps the change that has potential to be most impactful. Similar to the requirements under Sarbanes Oxley (SoX) that require Boards to have persons of financial expertise on the Board or Audit committee, this standard proposes having a cybersecurity expert as a part of the executive management and board functions.
This will ensure that there is proper governance over risk, cybersecurity, and privacy from an outside director perspective. Nothing these days is more important than having effective, knowledgeable experts who can understand business objectives and goals and provide some balance to cybersecurity business advantages and risks.
In the coming months it will be critical to see how the proposed changes are analyzed and assessed by the banks, how practical and feasible some of the more proscriptive requirements are, where these requirements overlap with current guidance, and how large FIs are able to prepare for what looks like more external governance over cybersecurity.
In the end, the financial systems are so intertwined that it’s critical to ensure a risk at one or more institutions does not turn into a threat that cascades across the whole ecosystem.