Proposed Cybersecurity Regulations for Banking Agencies: Cyber Risk Management

For the past few weeks, we’ve explored the Federal Reserve’s recent Enhanced Cyber Risk Management Standards and what they ask covered financial entities to do to reduce their Cyber Liability. Previously, we discussed the plan’s call for covered entities to exhibit effective cyber risk governance by establishing cyber risk management plans and effectively implementing them within existing risk management strategies. In this post, we will go into more detail about the measures that a firm should cover in its cyber risk management strategy. The plan lists three main methods of protection against cyber risk: considering business units separately, integrating cyber risk into their existing risk management strategies, and assessing the plan through audit functions.

Business Units

In the proposal, agencies may require that their business units regularly assess the cyber risks associated with their respective units’ activities. In order to do this, the units would need to follow new procedures designed to adhere to the entity’s risk management plan. Said processes and procedures would be designed specifically to aid in identifying, monitoring, and controlling the company’s cyber risk. In addition to this, the business units would also need to effectively communicate all information regarding the unit’s cyber risk with senior management, so management could be aware of and respond to any emerging cyber risks.

Independent Risk Management

This aspect of the cyber risk management solution states that covered entities should “incorporate enterprise-wide risk management into the responsibilities of an independent risk management function.” The function would be responsible for reporting to the entity’s chief risk officer and board of director in regards to implementing the cyber risk management procedures throughout the organization, analyzing enterprise-level cyber risk in order to respond most effectively, and notifying the CEO and board of directors when its assessment of a specific cyber risk does not match the business unit’s assessment.

Additionally, these entities would be required to quantitatively assess how efficiently and effectively they are able to reduce their aggregate residual cyber risk to the board-approved level. As cyber liability issues have the potential to affect entities on a large scale, the independent risk management function would be required to develop and regularly update their understanding of the entity’s existing cybersecurity procedures and risks, and maintain a line of communication with the board of directors while operating independently.

Audit Function

The proposal states that entities should require their audit function to evaluate cyber risk management, specifically whether the framework is compatible with pertinent laws and regulations and is appropriate for its “size, complexity, interconnectedness, and risk profile.” The audit would incorporate this cyber risk management assessment into the entity’s existing overall audit plan, and the plan would need to evaluate the compliance between the business unit and independent risk management functions.

About FGIB

Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for financial entities, in addition to providing crime insurance and general business insurance products to a number of firms across the United States. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (877) 485-4413 to speak with one of our professionals.