Proposed Cybersecurity Regulations for Banking Agencies: Internal and External Dependency Management

The United States Federal Reserve’s recent Enhanced Cyber Risk Management Standards created five categories of enhanced cyber risk management standards for entities to reduce their risk of Cyber Liability. We have already discussed the details of the first two categories – cyber risk governance and cyber risk management – and this post will focus on the following two categories, which are internal and external dependency management. In the context of the proposal, internal dependency refers to the covered entities’ business assets, and external dependency refers to the entities’ relationships with outside parties.

Internal Dependency Management

According to the proposal, internal dependency standards will ensure that covered entities are able to identify and deal with cyber risks associated with their business assets (such as the workforce, data, technology, and facilities; assets upon which the entity depends to deliver services and information). In addition, covered entities must continually assess and develop their internal dependency risk management strategies on an enterprise-wide basis, and may be asked to integrate an internal dependency plan into their existing risk management plan. In order to maximize the plan’s effectiveness, covered entities will also be asked to maintain an inventory of their business assets and remain aware of all functions that could relate to their cyber risk management strategy.

The entities will also be required to create and apply relevant controls to address their business assets’ cyber risk, which will entail evaluating their assets’ cyber risk before deployment, continually monitoring the assets and controls, and assessing any cyber risks that are relevant to the assets.

External Dependency Management

On the other hand, external dependency (the entity’s relationships with outside vendors, suppliers, customers, utilities, and other external providers which deliver information and services to the entity) management will require covered entities to implement an external dependency risk management strategy into the their risk management plan in order to deal with external cyber liabilities and risks with interconnection. Said strategy would clearly define the external dependency management’s responsibilities, establish and regularly update policies and procedures for the management, implement appropriate measures to reduce external dependency-related cyber risks, and put appropriate compliance measures into place.

In addition, the external dependency management would be responsible for monitoring all external dependencies and implementing cyber risk control measures in a timely manner. The covered entities must also create and apply controls addressing their external dependencies’ cyber risks, in which the entities will continually analyze cyber risks relevant to their external partners and periodically test and evaluate alternative control measures.

About FGIB

Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for financial entities, in addition to providing crime insurance and general business insurance products to a number of firms across the United States. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (877) 485-4413 to speak with one of our professionals.