Federal Banking Regulators Announce New Proposed Cybersecurity Standards

October 24, 2016

On October 19, 2016, federal banking regulators released an advanced notice of proposed rulemaking (“ANPR”) that would impose heightened cybersecurity standards on many large financial institutions.[1]  The standards under consideration address growing technological interdependence in the financial sector and are designed to increase the operational resilience of entities covered by the ANPR and reduce the impact on the financial system of a cyber-event experienced by any one entity.  The standards were proposed by the Federal Reserve (“Fed”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC”) and are subject to a 90-day public comment period, which ends on January 17, 2017.

The ANPR would apply to (1) all U.S. bank holding companies and savings and loan firms with total consolidated assets of $50 billion or more; (2) foreign banking organizations with U.S. assets totaling $50 billion or more; (3) state member banks, nonmember banks, and savings associations that have total consolidated assets of $50 billion or more; (4) any national bank, federal savings association, U.S. branch of a foreign bank, state member bank, state nonmember bank, or state savings association that is a subsidiary of a bank holding company or savings and loan company with total consolidated assets of $50 billion or more; (5) third-party providers of payment processing, core banking, and other financial technology services to covered entities; and (6) nonbank financial companies, financial market infrastructure companies, and financial market utilities supervised by the Fed.  The ANPR would not apply to community banks.

The proposed regulations address five categories of cybersecurity: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

The category of cyber risk governance is designed to ensure that covered entities establish a formal cybersecurity framework that is integrated into business strategy and subject to the highest levels of board review.  The cyber risk management standards seek to address the implementation of cybersecurity goals through three independent functions with appropriate checks and balances.  Internal dependency management regulations are intended to ensure that entities can identify and manage cyber risks associated with their business assets.  By contrast, external dependency management regulations target cyber risks associated with interconnected external organizations and service providers.  Finally, standards within the incident response, cyber resilience, and situational awareness category are designed to ensure that covered entities anticipate, contain, and rapidly recover from cyber-attacks and disruptions.

Taken together, the proposed regulations would require that every covered entity’s cybersecurity risk management framework include, among other things:

  • Development of board-approved, enterprise-wide cyber risk management strategies and procedures that are incorporated into overall business strategy and risk management;
  • Board review and approval of cyber risk appetite and tolerance of the entity;
  • Sufficient cybersecurity expertise on the board or access to resources and staff with such expertise;
  • Senior cyber risk managers with direct, independent access to the board of directors;
  • Cyber risk management built into existing business units and an independent risk management function;
  • Development of an audit function that assesses the cyber risk management framework and is incorporated into the entity’s overall audit plan;
  • Cyber risk assessment and inventory of all business assets and periodic tests of back-ups to business assets;
  • Procedures to identify and manage cyber risks associated with outside vendors, suppliers, customers, utilities, and other external organizations and service providers;
  • Cyber resilience and incident response programs;
  • Protocols for secure, off-line storage of critical records including loan data, asset management account information, and daily deposit account records;
  • Specific testing that addresses disruptive cyber events, the potential for multiple attacks, and the impact of interruptions on critical infrastructure;
  • Threat profiles and threat modeling for identified threats to the entity; and
  • Active cyber threat intelligence gathering and ongoing security analytics.

The proposed regulations contemplate a two-tiered approach, with more stringent standards for systems of covered entities that are “critical” to the functioning of the financial sector—defined to include systems that support the clearing or settlement of at least five percent of the value of transactions in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity securities.

For these sector-critical systems, covered entities would be required to establish a recovery time objective of two hours to return to normal operations after a cyber-attack.  In addition, sector-critical systems would be required to implement the “most effective, commercially available controls” to minimize residual cyber risk.

Notably, the Fed, OCC, and FDIC appear particularly interested in developing a consistent methodology for measuring cyber risk in covered entities.  The ANPR cites the FAIR Institute’s Factor Analysis of Information Risk standard and Carnegie Mellon’s Goal-Question-Indicator-Metric process, but seeks private-sector input on any other measurement procedures.

The ANPR was announced just one month after the New York State Department of Financial Services (“DFS”) proposed new cybersecurity regulations for financial services companies, as discussed in a prior Gibson Dunn Client Alert.[2]  The DFS proposals contain cyber governance and incident response requirements that will affect many of the same institutions covered by the ANPR.  The DFS proposals are set to take effect on January 1, 2017.

The ANPR poses 39 questions for the public across the five categories of cybersecurity standards, and seeks comments on all aspects of the proposed regulations.  After the 90-day public comment period, ending on January 17, 2017, the Fed, OCC, and FDIC plan to use the collected information to develop a more detailed set of standards for consideration.

[1] A copy of the proposed regulations may be found at https://www.fdic.gov/news/board/2016/2016-10-19_notice_dis_a_fr.pdf.

[2] See Gibson Dunn Client Alert, New York State Department of Financial Services Announces Proposed Cybersecurity Regulations (Sept. 19, 2016), available at http://www.gibsondunn.com/publications/Pages/New-York-State-Department-of-Financial-Services-Announces-Proposed-Cybersecurity-Regulations.aspx.

The following Gibson Dunn lawyers assisted in the preparation of this client alert:  Alexander Southwell, Arthur Long, Ryan Bergsieker and Virat Gupta.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments.  For further information about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or Financial Institutions practice groups, or the following:

Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])

Please also feel free to contact any of the following practice group leaders and members:

Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Joshua A. Jessen Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Michael Li-Ming Wong San Francisco/Palo Alto (+1 415-393-8333/+1 6508495393, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])

Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])

Financial Institutions Group:
Arthur S. Long – Co-Chair, New York (+1 212-351-2426, [email protected])
Stephanie L. Brooker – Co-Chair, Washington, D.C. (+1 202-887-3502, [email protected])
Michael D. BoppWashington, D.C. (+1 202-955-8256, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])
Carl E. Kennedy – New York (+1 212-351-3951, [email protected])


© 2016 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.