Proposed Federal Cybersecurity Rules
Financial Institutions Law Update 10/28/16 James I. Kaplan
New Proposed Cybersecurity Rules
The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities (“Covered Entities”). Community and most regional banks will be exempt. The comment period ends January 17, 2017.
The Proposed Rules address five key areas:
- Cyber risk governance: Covered entities are to develop a cyber risk management strategy which must be approved by a board committee. Cybersecurity officers are to be independent of business line management and must report to a board committee whose members will be required to have adequate expertise (or access to personnel with expertise) in cybersecurity.
- Cyber risk management: Three independent functions within Covered Entities will be required to integrate cyber risk management: business units, independent risk management, and the audit function.
- Internal dependency management: Covered Entities must have effective capabilities in place to identify and manage cyber risks associated with their business assets (that is, their workforce, data, technology, and facilities) throughout their lifespans.
- External dependency management: Covered Entities must have effective capabilities in place to identify and manage cyber risks associated with their external dependencies and interconnection risks, including vendors, suppliers, customers, utilities, and other external organizations and service providers.
- Incident response, cyber resilience, and situational awareness: Covered Entities must plan for, respond to, contain, and be able to rapidly recover from disruptions caused by cyber incidents.
In addition, a higher set of standards would apply to a Covered Entity’s “sector-critical systems,” those critical to the financial sector as a whole. For these systems, Covered Entities will be required to use the most sophisticated tools in the market, along with the capability to recover from a cyber attack within two hours.
The New York Rules
In our October 11, 2016 Financial Institutions Law Update regarding new cybersecurity regulations for New York licensed financial institutions, we expected other regulators to enact similar standards. Of course, the New York and federal rules were developed concurrently and without coordination; nevertheless, the Proposed Rules functionally mirror several aspects of the New York rules, albeit with different terminologies.
Where the Proposed Rules markedly differ from the New York rules is the treatment of vendors and third party service providers. The New York rules require covered entities to conduct oversight of their third party service providers, and covered entities bear the responsibility of vendor compliance. Conversely, the federal Proposed Rules capture vendors within their definition of Covered Entities. This may incentivize New York regulated financial institutions to specifically seek out or move to vendors that are already regulated by the Proposed Rules in order to offset some liability.
Ultimately, both sets of rules require additional cybersecurity personnel and new policies and infrastructure. Compliance costs will not only increase, but technological advancement and the constant maintenance and upgrade requirements of cybersecurity infrastructure and protocols will prove to be a recurring and increasing expense. Of course, the tradeoff of increased expense and management time in exchange for a more secure and stable financial system is a goal that both industry and regulators share.
We are prepared to advise on compliance with all aspects of these rules. For questions, please contact James Kaplan at [email protected]/(312) 715-5028, Moein Khawaja at [email protected]/(312) 715-2760, or your local Quarles & Brady attorney.