We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 November 2016
On October 19 2016 the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation (collectively 'the agencies') issued a joint advanced notice of proposed rulemaking (ANPR) inviting comment regarding enhanced cyber-risk management standards for large and interconnected entities under their supervision and those entities' service providers.(1) As financial technology continues to advance, the largest, most complex financial institutions are increasingly relying on technology to carry out their banking activities and to provide critical services to the financial sector and the US economy. In the event of a cyber-attack on a covered entity, the ANPR is intended to enhance the covered entity's ability to continue to function and to reduce the overall impact on the financial system resulting from interconnectedness.
The agencies have existing supervisory programmes with general expectations for cybersecurity practices at depository institutions, their holding companies and third-party service providers. The enhanced standards that would eventually result from the ANPR would be integrated into the existing framework by establishing increased supervisory expectations for the entities and services that potentially pose a heightened cyber-risk to the safety and soundness of the financial sector. The agencies are also considering implementing the enhanced standards in a tiered manner and imposing more stringent standards on those entities critical to the functioning of the financial sector. The ANPR is structured as a discussion of proposals that the agencies are considering along with specific questions for which the agencies are seeking input. Comments on the ANPR are due by January 17 2017.
The agencies are considering applying the enhanced standards enterprise-wide to certain entities with total consolidated assets of $50 billion or more. The enhanced standards would apply to US bank holding companies, savings and loan holding companies and federal and state-chartered banks and savings associations that meet or exceed the asset threshold, and US operations of foreign banking organisations with total US assets of $50 billion or more. Additionally, the agencies are considering whether to extend the enhanced standards to non-bank financial institutions supervised by the Federal Reserve Board and designated financial market utilities and other financial market infrastructure over which the Federal Reserve Board has primary supervisory authority because they are members of the Federal Reserve System. Furthermore, the agencies are considering whether to apply the enhanced standards directly or via contract to third-party service providers with respect to services provided to depository institutions and their affiliates that are covered entities.
The enhanced standards would emphasise the need for covered entities to:
The standards would be organised into five categories:
Notably, as part of the external dependency management standard, the agencies are considering a requirement that covered entities have the ability in real time to monitor all external dependencies and trusted connections enterprise-wide and to prioritise them based on their criticality to the business functions they support, the firm's mission and the financial sector. Also, as part of the incident response, cyber resilience and situational awareness standard, the agencies could include a requirement that covered entities establish plans and mechanisms to transfer business, where feasible, to another entity or service provider with minimal disruption and within prescribed timeframes if the original covered entity or service provider is unable to perform.
As discussed above, the agencies are considering establishing a two-tiered approach to implementing the enhanced standards. The general enhanced standards would apply to all systems of covered entities and an additional, higher set of expectations, referred to as "sector-critical standards", would apply to those systems of covered entities critical to the financial sector. As part of the sector-critical standards, the agencies are considering requiring covered entities to establish a recovery time objective of two hours for their sector-critical systems to recover from a cyber event. The agencies are considering whether to include the following systems within the scope of the sector-critical standards:
The agencies are considering three possible approaches to implement the enhanced standards:
For further information on this topic please contact Joel D Feinberg, David E Teitelbaum or Stanley J Boris at Sidley Austin LLP by telephone (+1 202 736 8000) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Sidley Austin website can be accessed at www.sidley.com.
(1) The ANPR was published in the Federal Register on October 26 2016. The ANPR is available at www.gpo.gov/fdsys/pkg/FR-2016-10-26/pdf/2016-25871.pdf (81 Fed Reg 74,315, Oct 26 2016).
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.