Proposed Cybersecurity Regulations for Banking Agencies: Incident Response, Cyber Resilience, and Situational Awareness

Due to the risk of damaging cyber attacks in the financial sector, the Federal Reserve drafted the Enhanced Cyber Risk Management Standards in October of 2016, which consists of a number of recommended standards to reduce Cyber Liability for banking agencies and other financial groups. Said standards are divided into five categories, with the final category being incident response, cyber resilience, and situational awareness. The proposed standards within this category would ensure that covered agencies have solidified plans for possible cyber threats and would be capable of efficiently responding to and rapidly recovering from any such incident.

Incident Response

According to the Federal Reserve, agencies may require that all covered entities design and implement measures that would allow for the entities to still perform their core business functions in the event of a cyber disruption, specifically incidents involving multiple interruptions and cyber attacks on multiple related sections of critical infrastructure (examples being energy and telecommunications). In addition, covered entities would also be required to develop protocols for secure, dependable, and offline storage for their critical records (such as financial records, loan data, deposit records, and asset management account information). Effectively preserving their critical records would allow for the covered entities to take the first step in facilitating recovery from cyber attacks. Finally, the proposal asks that the entities maintain their incident response and cyber resilience plans on an enterprise-wide level and supplement them with relevant procedures, governance, and independent evaluation.

Cyber Resilience

The proposal cites the IT Handbook, stating that it asks that examiners determine whether covered entities have created recovery plans for cyber-attack cases, particularly those with the potential to damage data and or systems and disrupt access. The proposal asks that these recovery plans designate recovery time objectives (RTOs), preserve critical data in the event of an incident, and have plans in place to transfer data and business to another entity or service provider in the event of a failure. In addition, the proposal strongly recommends that covered entities conduct specific, regular cyber resilience testing to determine specifically how potential cyber threats could affect their business functions, and additionally test external dependencies.

Situational Awareness

The Federal Reserve states that one of the most important aspects of situational awareness is having the ability to identify, analyze, and track data on potential cyber risks in a timely manner. Because of this, the proposal discusses a requirement  that covered entities maintain proper situational awareness through:

  • Creating and regularly updating threat profiles (which would include information about “critical assets, threat actors, and details about how threat actors might attempt to compromise those critical assets”) on possible sources of cyber liability
  • Implementing threat modeling (“using a structured process to identify how critical assets might be compromised by a threat actor and why, what level of protection is needed for those critical assets, and what the impact would be if that protection failed”) measures
  • Regularly collecting cyber threat intelligence and performing security analytics
  • Continually implementing and updating vulnerability management measures

About FGIB

Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for financial entities, in addition to providing crime insurance and general business insurance products to a number of firms across the United States. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (877) 485-4413 to speak with one of our professionals.