October 24, 2016
On October 19, 2016, federal banking regulators released an advanced notice of proposed rulemaking (“ANPR”) that would impose heightened cybersecurity standards on many large financial institutions.[1] The standards under consideration address growing technological interdependence in the financial sector and are designed to increase the operational resilience of entities covered by the ANPR and reduce the impact on the financial system of a cyber-event experienced by any one entity. The standards were proposed by the Federal Reserve (“Fed”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC”) and are subject to a 90-day public comment period, which ends on January 17, 2017.
The ANPR would apply to (1) all U.S. bank holding companies and savings and loan firms with total consolidated assets of $50 billion or more; (2) foreign banking organizations with U.S. assets totaling $50 billion or more; (3) state member banks, nonmember banks, and savings associations that have total consolidated assets of $50 billion or more; (4) any national bank, federal savings association, U.S. branch of a foreign bank, state member bank, state nonmember bank, or state savings association that is a subsidiary of a bank holding company or savings and loan company with total consolidated assets of $50 billion or more; (5) third-party providers of payment processing, core banking, and other financial technology services to covered entities; and (6) nonbank financial companies, financial market infrastructure companies, and financial market utilities supervised by the Fed. The ANPR would not apply to community banks.
The proposed regulations address five categories of cybersecurity: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
The category of cyber risk governance is designed to ensure that covered entities establish a formal cybersecurity framework that is integrated into business strategy and subject to the highest levels of board review. The cyber risk management standards seek to address the implementation of cybersecurity goals through three independent functions with appropriate checks and balances. Internal dependency management regulations are intended to ensure that entities can identify and manage cyber risks associated with their business assets. By contrast, external dependency management regulations target cyber risks associated with interconnected external organizations and service providers. Finally, standards within the incident response, cyber resilience, and situational awareness category are designed to ensure that covered entities anticipate, contain, and rapidly recover from cyber-attacks and disruptions.
Taken together, the proposed regulations would require that every covered entity’s cybersecurity risk management framework include, among other things:
The proposed regulations contemplate a two-tiered approach, with more stringent standards for systems of covered entities that are “critical” to the functioning of the financial sector—defined to include systems that support the clearing or settlement of at least five percent of the value of transactions in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity securities.
For these sector-critical systems, covered entities would be required to establish a recovery time objective of two hours to return to normal operations after a cyber-attack. In addition, sector-critical systems would be required to implement the “most effective, commercially available controls” to minimize residual cyber risk.
Notably, the Fed, OCC, and FDIC appear particularly interested in developing a consistent methodology for measuring cyber risk in covered entities. The ANPR cites the FAIR Institute’s Factor Analysis of Information Risk standard and Carnegie Mellon’s Goal-Question-Indicator-Metric process, but seeks private-sector input on any other measurement procedures.
The ANPR was announced just one month after the New York State Department of Financial Services (“DFS”) proposed new cybersecurity regulations for financial services companies, as discussed in a prior Gibson Dunn Client Alert.[2] The DFS proposals contain cyber governance and incident response requirements that will affect many of the same institutions covered by the ANPR. The DFS proposals are set to take effect on January 1, 2017.
The ANPR poses 39 questions for the public across the five categories of cybersecurity standards, and seeks comments on all aspects of the proposed regulations. After the 90-day public comment period, ending on January 17, 2017, the Fed, OCC, and FDIC plan to use the collected information to develop a more detailed set of standards for consideration.
[1] A copy of the proposed regulations may be found at https://www.fdic.gov/news/board/2016/2016-10-19_notice_dis_a_fr.pdf.
[2] See Gibson Dunn Client Alert, New York State Department of Financial Services Announces Proposed Cybersecurity Regulations (Sept. 19, 2016), available at http://www.gibsondunn.com/publications/Pages/New-York-State-Department-of-Financial-Services-Announces-Proposed-Cybersecurity-Regulations.aspx.
The following Gibson Dunn lawyers assisted in the preparation of this client alert: Alexander Southwell, Arthur Long, Ryan Bergsieker and Virat Gupta.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For further information about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection or Financial Institutions practice groups, or the following:
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Please also feel free to contact any of the following practice group leaders and members:
Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650–849–5393, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Financial Institutions Group:
Arthur S. Long – Co-Chair, New York (+1 212-351-2426, [email protected])
Stephanie L. Brooker – Co-Chair, Washington, D.C. (+1 202-887-3502, [email protected])
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])
Carl E. Kennedy – New York (+1 212-351-3951, [email protected])
© 2016 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.