In October 2016, the U.S. federal banking agencies jointly issued an advance notice of proposed rulemaking regarding enhanced cyber risk management standards (the “Enhanced Standards”). The Enhanced Standards would apply on an enterprise-wide basis to large financial institutions and their service providers, as detailed in this memorandum. The U.S. federal banking agencies proposed the Enhanced Standards in an era of increased cybersecurity attacks and dangers, where heightened cybersecurity standards and compliance are inevitable. Other regulators and groups – such as the New York State Department of Financial Services, FinCEN, and the financial ministers of the G-7 – have also recently proposed new rules and frameworks as a result of recent high-profile cyberattacks on banks and other institutions. These actions are all part of a perhaps loosely coordinated effort to require the financial sector to “up its game” given the potentially serious consequences of failure.
In this era of increased cyberattacks, the art will be to develop a regulatory framework that is flexible enough, and sophisticated enough, to encourage enhanced standards and compliance without imposing costs too high for the risks. The balance is a delicate one. The advance notice of proposed rulemaking therefore should receive careful thought and scrutiny. The Enhanced Standards intend to strengthen the ability of Covered Entities to prevent a cyberattack (operational resilience) and also reduce the potential impact on the financial system in the event of a cyberattack.
In this memorandum, we discuss the scope of application of the enhanced cyber risk management standards, the existing cybersecurity requirements and guidelines, the five categories of the Enhanced Standards (as listed below), and sector-critical systems and the Enhanced Standards for them.