Regional and community banks: proposed federal cybersecurity regulations don’t apply to you (yet) but do offer valuable strategies.

Executive summary

Federal regulators have issued an advance notice of new proposed cybersecurity standards. The notice invites comment on enhanced cybersecurity standards for regulated entities with total assets of $50 billion and certain of their service providers. The potential new standards don’t apply (yet) to regional or community banks. But those banks should consider implementing aspects of the proposed standards into their cybersecurity practices, consistent with their resources and perceived risks.

Specifically, the proposed standards emphasize board-level cybersecurity management. The new standards, if approved, could require a written, board-approved, cybersecurity strategy; cybersecurity executives reporting directly to the board; and a risk management policy with plans for responding to incidents and regularly testing and updating cybersecurity defenses. Those are practices that could benefit all banks, regardless of size.

Any final regulation is a long way off.

On October 19, 2016, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (collectively, “the Agencies”) issued an advance notice of proposed rulemaking, available here. Comments are due by January 17, 2017.

There’s still a way to go before the proposed rule goes into effect. The Agencies are requesting public comment on the proposed standards, which they will use to develop a more detailed proposal and potential regulations. The Agencies will then again invite public comment before adopting any final rule.

The proposed standards could apply to entities with $50 billion or more in assets.

The Agencies intend the proposed rule to enhance cybersecurity requirements for the “largest and most interconnected entities under their supervision” (the “covered entities”). The Agencies perceive cyberthreats to the covered entities as posing a systematic risk to the entire financial sector, potentially warranting increased regulation. The notice defines covered entities as, in sum: (1) regulated entities (e.g. bank holding companies and savings and loan holding companies) with assets of $50 billion or more, including all subsidiaries; and (2) certain third-party service providers to covered entities.

The Agencies are also considering a higher set of standards, referred to as “sector-critical standards,” applying to “systems” of covered entities “that are critical to the financial sector.” The Agencies are considering what systems to define as “sector critical.” The notice indicates such systems are likely to be those consistently clear or settle at least five percent of the value of transactions in a “critical market” or that provide a “key functionality” to the financial sector. For sake of brevity, this blog post does not further discuss the sector-critical standards.

The notice discusses increased standards in five categories.

The notice discusses increased standards in the following five categories. Community and regional banks should consider whether they can incorporate any of these proposed standards into their operations, consistent with their available resources and perceived risk.

1. Cyber risk governance (i.e. a high level cyber risk management strategy). Increased standards in this area could require:

• Development of a written, board-approved, enterprise-wide cyber risk management strategy incorporated into the overall firm’s business strategy and risk management.
• An assessment of the firm’s overall cybersecurity risk.
• Boards to have adequate expertise in cybersecurity, or access to such expertise, so as to be able to challenge management’s cybersecurity decisions.
• Senior leaders with responsibility for cyber risk to be independent of business line management, with direct, independent access to the board.
• A cyber risk management framework with delineated oversight responsibilities, including procedures for responding to cyber threats, and testing and updating cybersecurity protocols.

2. Cyber risk management (i.e. integrating cybersecurity into multiple business units). This proposed standard would require covered entities to integrate cyber risk management into the responsibilities of “at least three independent functions . . . with appropriate checks and balances.” The increased standards in this area could also require the following:

• Units responsible for the day-to-day business functions of a covered entity would be responsible for assessing their cyber risks, sharing that information with senior management, and ensuring compliance with the unit’s cybersecurity responsibilities.
• Covered entities should establish an “independent risk management function” that would analyze cyber risks and assess the firm’s exposure. The risk management function would operate independently of the firm’s business units.
• Covered entities should establish an audit function to regularly assess whether they are adhering to their own cybersecurity policies and are compliant with applicable laws and regulations.

3. Internal dependency management (i.e. assessing and addressing risks from the covered entity’s workforce, technology, and facilities). The increased standards in this area could require the following:

• Covered entities should keep an inventory of all business assets on an enterprise-wide basis, including “mappings to other assets and other business functions, information flows, and interconnections.”
• Covered entities should establish appropriate controls to address risk to the entity’s assets, including monitoring employee use of assets.

4. External dependency management (i.e. assessing and addressing risks from the covered entity’s outside vendors, suppliers, customers and other third parties). The increased standards in this area could require the following:

• Covered entities should have a current list of “all external dependencies and business functions, including mappings to support assets and business functions” (i.e. know all outside vendors and how they connect to the entity’s business units).
• Covered entities should have an “external dependency management strategy” with policies for managing risks from third parties throughout the lifespan of the relationship.
• Covered entities should have identified and implemented appropriate controls on external partners’ access.

5. Incident response, cyber resilience and situational awareness (i.e. planning for how to address and quickly recover from cybersecurity incidents). Increased standards in this area could require the following:

• Covered entities should develop strategies for recovering lost data and maintaining core business functions in the event of a cyber-attack.
• Covered entities should establish protocols for “secure, immutable, off-line storage of critical records,” which could be accessed by another financial institution if the covered entity was unable to do so.
• Covered entities should establish plans to “transfer business, where feasible, to another entity or service provider with minimal disruption.”
• Covered entities should identify and monitor potential threats to the firm.
• Covered entities should test the “cyber resilience” of their operations and services.