Page 10 - GS161101
P. 10
News
Fed, FDIC, OCC toughen companies be held to the same rigorous standards and
up on FI cybersecurity scrutiny as the financial institutions they serve.
T he Federal Deposit Insurance Corp., Federal Enhancing existing rules
Reserve and Office of the Comptroller of the
Currency co-authored a new set of guidelines The three-party cybersecurity initiative is designed to
designed to protect critical banking infrastruc- enhance existing regulatory guidance and oversight, of
ture. Escalating cyberattacks combined with increasing which there is no shortage in the financial services sector.
dependence on connected technologies have raised threat The ANPR cites the following government agencies
levels across the banking sector, the agencies stated. and guidelines tasked with protecting U.S. banking
infrastructure:
Their recommendations, published Oct. 19, 2016, are
detailed in Enhanced Cyber Risk Management Standards, • Federal Financial Institutions Examination Council:
an advance notice of proposed rulemaking (ANPR) that The FFIEC has published a series of documents on
addresses cyber risk, internal dependency and external cyber security, including the IT Handbook, which
dependency management, as well as incident response, provides guidance to examiners on third-party
cyber resilience and situational awareness. service providers. Its Cybersecurity Assessment Tool
is a voluntary assessment resource widely used by
The ANPR recommends a tiered approach to implementing financial institutions.
the new security guidelines, directing its strictest policies
to large financial institutions with total consolidated assets • National Institute of Standards and Technology:
of $50 billion or more. The NIST Cybersecurity Framework is a voluntary
framework designed to improve communications,
awareness, and understanding among IT professionals
and senior executives. Its five core functions are:
Identify, Protect, Detect, Respond, and Recover.
"A cyber-attack or disruption at one or more of these entities • CPMI-IOSCO Principles for Financial Market In-
could have a significant impact on the safety and soundness frastructures: The existing guidelines, created in June
of the entity, other financial entities and the U.S. financial 2016 by the Committee on Payments and Market Infra-
sector," the authors wrote. "The agencies are considering structures and the International Organization of Secu-
applying the enhanced standards to these entities on an rities Commissions, are further clarified in the ANPR
enterprise-wide basis because cyber risks in one part of an by the original authors.
organization could expose other parts of the organization
to harm." • Interagency Paper on Sound Practices to Strengthen
the Resilience of the U.S. Financial System: Joint-
New threat landscape ly created by The Federal Reserve, the Office of the
Comptroller of the Currency and the Securities and
Increasing reliance on connected technologies in com- Exchange Commission, this paper is used as a point
mercial and private sectors has raised threat levels across of reference in the ANPR. The paper focuses on mini-
depository institutions, particularly the seven largest and mizing systemic effects of wide-scale disruptions in
most complex financial institutions, according to recent re- critical financial markets.
ports.
Public comments welcome
"As technology dependence in the financial sector continues
to grow, so do opportunities for high-impact technology Enhanced Cyber Risk Management Standards is available for
failures and cyber-attacks," the ANPR authors wrote. "Due public review and commentary until Jan. 17, 2017. The
to the interconnectedness of the U.S. financial system, a agencies are considering a variety of approaches, from
cyber incident or failure at one interconnected entity may policy statements to detailed regulations, to beef up existing
not only impact the safety and soundness of the entity, regulatory and compliance frameworks.
but also other financial entities with potentially systemic
consequences." The authors are encouraging the public to respond to the
proposal during the open review period. They plan to
The authors additionally noted the expanded role of third- publish pertinent feedback in a broader, more detailed
party service providers in financial services. "Third parties report, followed by a second round of public review and
that provide payments processing, core banking, and other consideration prior to a final ruling.
financial technology services to these participants in the
financial sector also provide services that are vital to the For a copy of the ANPR and detailed instructions for
financial sector," they wrote. They also recommended submitting commentary, visit www.federalreserve.gov/
that third-party service providers and nonbank financial newsevents/press/bcreg/bcreg20161019a1.pdf.
10
