Banks face new cyber regs
EDITOR'S NOTE: Don Sadler is a freelance writer.
Several major cyberattacks on financial institutions have occurred in recent years, including the JPMorgan Chase attack in 2014 that remains the largest data breach at a U.S. bank in the nation’s history.
This hack affected more than 100 million bank customers whose personal information — including Social Security numbers, physical and email addresses, phone numbers and other personally identifiable information — was compromised. To lessen the risk of similar cyberattacks in the future, banking regulators have proposed a strict set of new cybersecurity regulations that would apply to the largest banks in the country. Depository institutions and interconnected entities with total U.S. assets of $50 billion or more would be subject to the new regulations, which have been proposed by the Federal Reserve Board, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation.
The regulatory agencies are concerned not only about the possible impact of a cyberattack on a single large bank, but also how such an attack could affect other interconnected financial entities and the resulting systemic consequences.
The enhanced cyber risk management standardsare a set of risk-management and resilience standards that large financial institutions would be required to adhere to. They are designed to help systemically important financial institutions prepare for, track and respond to potentially catastrophic cyberattacks.
The regulatory agencies are concerned not only about the possible impact of a cyberattack on a single large bank, but also how such an attack could affect other interconnected financial entities and the resulting systemic consequences. In a worst-case scenario, regulators fear such an attack could threaten the safety and soundness of the entire U.S. financial sector.
Financial institutions currently are responsible for their own cybersecurity defense systems, based upon supervisory programs and cybersecurity best practices that have been established by regulators. The enhanced cyber risk management standards would be integrated into the existing supervisory framework for the largest U.S. banks.
Enhanced standards
Five categories
The proposed new regulations will address the following five categories of cyber standards:
See related article on proposed big bank regulations.
Read More
According to the proposed rule,the regulations also could require big banks to designate separate senior leaders with direct board access who are specifically in charge of cyberrisk management. This practice has become more common in corporate America as chief information security officers assume top management roles in many companies. In October, the regulatory agencies issued an advanced notice of proposed rulemakingto gather feedback from industry stakeholders before developing a more detailed proposal. The deadline for comments of the proposal rule was Feb. 17.
Industry reaction
For its part, the American Bankers Association has voiced support for a broad framework that “harmonizes” existing cybersecurity regulations. However, it is not in favor of strict regulations that would impose the same cybersecurity requirements on every bank. “What we’re accustomed to having in place particularly as it relates to cyber risk is the ability to utilize our own discretion,” said Doug Johnson, senior vice president for payments and cybersecurity policy for the ABA in an article published in October in The Washington Post. “Different organizations have different risks based on the types of organizations that they support.” In its comment letter submitted on Jan. 18, the U.S. Chamber of Commerce stated that the regulatory agencies should pursue a “flexible and risk-based approach” to cybersecurity at systemically important financial institutions. The Chamber emphasized three main points in the letter:
“It is our strong belief that cybersecurity should be managed in a risk-based manner based on the unique threats that an enterprise faces, the data it holds and systems it operates, and its culture and capabilities,” the Chamber’s letter continued. “While the agencies have identified cybersecurity measures that may make sense for some financial institutions, we would urge them to avoid imposing prescriptive cybersecurity standards on financial sector entities.”
Cyber risk governance. This will require large banks to create a broad cyber-risk management strategy.
Cyber risk monitoring and management. The level of cyber risk must be maintained within risk appetite and tolerance levels approved by the bank’s board of directors.
Cyber resilience. Strategies must be established and implemented to ensure business continuity in the event of a disruption caused by a cyberattack.
Records storage. Protocols must be established for secure and immutable storage of critical bank records, such as loan data and account records.
Situational awareness and incident response. Banks must maintain continual awareness of their operational status and cybersecurity posture, including establishing mandatory recovery times and strategies in the event of a disruptive cyberattack.
The agencies should encourage continued cybersecurity leadership by the financial services industry.
The agencies should support the collaborative development of risk- based approaches rather than impose prescriptive requirements.
The agencies should pursue regulatory harmonization and avoid creating additional regulatory duplication or confusion.
New cybersecurity standards could affect large financial institutions
© 2017 OnCourse Learning Corp. All rights reserved
Contact Us
20225 Water Tower Blvd. Brookfield, WI 53045
By Don Sadler
More inside this guide
Prevent cyberattacks
Banks must take proactive steps to stay ahead of cybercriminals
Phishing for trouble
Hackers use phishing emails to steal data, penetrate networks
Banks face new cyber regs
New cybersecurity standards could affect large financial institutions
Leading the way
New York establishes first-of-its-kind cybersecurity standards
What you need to know
Ways financial institutions can identify and respond to cyberthreats
Email fraud and cybercrime
Tips to identify red flags and respond to email and cyberthreats
Understand the threats
Learn ways financial institutions can mitigate cyber risks
Reduce cyber risk
OnCourse Learning webinar focuses on cybersecurity issues
Choose the right vendor
Financial institutions can be held responsible for vendor tech failures
Become cyber secure
OnCourse Learning offers cybersecurity training to meet your needs
Take cybersecurity seriously
Guide helps financial institutions identify cyberthreats
Beware of ransomware
Cyberattacks involving ransomware are a growing concern
Stop the bad actors
Terrorists and other groups threaten the financial system
Credit unions raise the bar
Agency creates cybersecurity assessments for credit unions
Cyber preparedness
Why cybersecurity should be a top priority for your financial institution
Increase cyber awareness
Federal and state agencies offer many cyber resources
Protect online payments
Agency warns of cyberthreats to bank payment networks
Training in the cyber age
Preparation is better than remediation when it comes to cybersecurity
How to Navigate
How to Navigate
Move forward or backward between articles by clicking the arrows.
Click or tap to bring up the Table of Contents.
Share articles by clicking on one of the social media icons in the upper right corner of the page.
Use your mouse wheel, keyboard arrow keys, or scroll bar to move up and down in an article.