In October of 2016, the Federal Reserve and other United States banking regulators created a series of new measures meant to increase cyber security and protect financial services and their consumers from online attacks. Financial professionals such as Wall Street, the New York Federal Reserve, and leading banks have been privy to high-profile hacking incidents in recent years, and these measures aim to reduce Cyber Liability among banking agencies and similar groups. Upcoming posts will cover the Notice’s proposed measures in greater detail, however, this post will provide a general outline and explanation of the Notice’s proposed measures and terminology.
Scope of Application
The first question is, naturally, whom these new regulations will cover. According to the Federal Reserve, the agencies proposed that these updated standards cover banks and other institutions with total consolidated assets of $50 billion or higher, and approximately 40 banks and a number of additional financial groups would fall under this scope. In addition to this scope, the Board specified that the standards would also apply to subsidiaries and other groups that fall under the jurisdiction of the aforementioned banks and associations.
Sector-Critical Systems
Due to the intertwining structure of the financial sector, once instance of cyber liability can easily impact multiple entities regardless of location. Because of this, the Notice proposed a bilateral method in which the previously described standards apply to all systems of covered entities within the scope, and another, stricter set of standards will apply to systems of covered entities which are considered crucial to the financial sector, also known as “sector-critical systems”.
Cyber Risk Governance
As stated in a piece from Harvard Law School, the Notice proposes legally requiring that its covered entities have a formal risk management plan ready to be implemented in the case of cyber threats, and asks that the entities continue to monitor the risk’s source after it has been mitigated. The strategy should be implemented into the business’s overall business plan, and would be handled by senior management.
Cyber Risk Management
There are three main methods that the Notice proposes their covered entities use to safeguard themselves against cyber liability. The Notice asks that its covered entities assess their business units’ cyber risks on an individual level, assimilate their cyber security strategy into their established independent risk management measures, and regularly evaluate the effectiveness of said strategy through auditing.
Internal and External Dependency Management
The Notice calls for both internal and external dependency management in managing covered entities’ cyber risks. Internal dependency management would deal with the entity’s “business assets”, which are the assets upon which the entities depend on delivering services and information (examples being technology, facilities, and their workforce). External dependency management, on the other hand, refers to entities’ relationships with outside parties upon which they depend on delivering services and information, with examples being customers, suppliers, utilities, and service providers.
Incident Response, Cyber Resilience, and Situational Awareness
A specific subset of standards within the Notice call for covered entities to “plan for, respond to, contain, and rapidly recover from disruptions caused by cyber incidents.” The entities must be able to continue to operate in the event of a cyber attack, continue to improve their cyber resistance, and work to establish situational awareness to predict any possible changes in the environment.
Standards for Sector-Critical Systems of Covered Entities
Earlier in the post the term “sector-critical systems” came up; the term refers to systems that would have a large, critical impact on the financial sector should they fall victim to a cyber attack. The Notice specifies possible qualifications for a system to be considered sector-critical, such as systems that do not have readily available alternatives, systems that are extremely interconnected to other financial systems, systems that support the maintenance of a significant share of the total United States deposits, and systems that support the clearing of at least five percent of the values of transactions in certain markets.
Approach to Quantifying Cyber Risk of Section
The Notice would like for agencies to have a consistent approach to measuring cyber risk in order to efficiently assess how well they are managing their and their systems’ cyber risk levels. At the moment no quantifiable method for cyber risk exists; agencies will look at existing methodologies such as the FAIR Institute’s Factor Analysis of Information Risk standard and Carnegie Mellon’s Goal-Opinion-Indicator-Metric process and build upon them to develop a consistent, applicable method of measuring cyber risk.
About FGIB
Since 1983, Financial Guaranty Insurance Brokers has distinguished itself as a provider of Professional Liability, Cyber Liability, and Crime insurance products for financial entities, in addition to providing crime insurance and general business insurance products to a number of firms across the United States. To receive timely, personalized service from a knowledgeable and experienced staff, call us today at (877) 485-4413 to speak with one of our professionals.