The largest and most interconnected global financial institutions and the companies that provide them payment services should face tighter rules on cybersecurity, the three top U.S. bank regulators said.
The proposal came Wednesday in a joint advance notice of proposed rule-making from the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation.
In the proposal, the regulators argue that financial service providers increasing reliance on computer networks increases “opportunities for high-impact technology failures and cyberattacks.”
Because the whole sector is interconnected, a single “cyber incident or failure” in the wrong place might have “potentially systemic consequences,” such as a financial crash.
The new “enhanced” rules cover only a certain category of financial institutions — basically those with more than $50 billion in assets, labeled systemically important by the Dodd-Frank post-crisis financial reforms. They aim “at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of [them],” said Martin Gruenberg, Chair of the Federal Deposit Insurance Corporation, in a statement.
Certain IT systems at those larger institutions — the ones deemed by regulators as “sector-critical” — would be subject to more stringent regulations. Sector critical systems could include those that “support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis)” in markets for T-bills, stocks and bonds, foreign exchange and federal funds — and maybe derivatives as well.
The three agencies say the enhanced requirements would fall into five categories:
- Cyber risk governance;
- Cyber risk management;
- Internal dependency management;
- External dependency management; and
- Incident response, cyber resilience, and situational awareness.
Also covered by the proposed rule would be third party providers of payment services like the Depository Trust and Clearing Corporation, or the Automated Clearing House.
Those providers — known as financial market infrastructure or financial market utilities — are not household names like the big banks that are their customers, but run the settlement and payment systems that make modern banking possible.
It makes sense to include them, Doug Johnson of the American Bankers’ Association told CyberScoop. “These are systemically important organizations and their services are just as important as the [financial] institutions themselves.”
Johnson said the ABA would be getting input from its members before drafting comments on the proposed rule-making, but that generally cybersecurity issues were handled in a “pretty collaborative” way between banks and regulators.
“It’s hard to argue with the high-level provisions,” he said of the planned rule. But he cautioned that actual implementation was “where the rubber meets the road.”
The notice lays out very broad parameters for possible rules in the five categories and poses 39 questions to regulated financial institutions. There is a 90 day period for public comment, which will expire a few days before the new president is sworn in to office.
In a memo FDIC staff prepared for a meeting of their board of directors earlier this month, they outline three approaches they might take. The regulation might:
- Require the banks it covers to” maintain a risk management framework for cyber risks, in conjunction with supervisory guidance that describes minimum expectations for the framework;” or
- Impose “specific cyber risk management standards;” or
- Specify the “objectives and practices” the covered banks would need to “achieve in each area of concern in order.”
Johnson said the banks tended to favor the first option. “Standards can become outdated very quickly as threats change, as the defensive technologies change,” he said.
He noted that check-the-box security standards were deprecated by many cyber experts. “We would view compliance-based activities as less helpful,” he said.
Because the large banks and their regulators shared the goal of shoring up the financial system against online threats, less proscriptive regulations were called for, he said.
“To the extent we have flexibility it’s helpful and appropriate.”
Johnson said another concern banks had was that the new regulations should harmonize with ones they already have to follow. “The relationship with existing requirements is key,” he said. He noted that the three regulators who acted this week were all part of the Federal Financial Institutions Examination Council — an umbrella group for federal bank regulators.
“There’s no doubt the FFIEC is working in unison on this,” he said, “The challenge is … it’s larger than just the FFIEC.” Both the Securities and Exchange Commission and the Commodity Futures Trading Commission had regulatory responsibilities as well, some of which included companies under the FFIEC’s purview as well.
“There’s some tension between an individual agency’s particular responsibilities and the need to ensure … harmonization,” he said.
David Schwartz, of the Florida International Bankers’ Association, told CyberScoop he was concerned about the possible implications of some of the requirements on boards of directors of the companies covered by the new rule.
The notice says the agencies are considering requiring boards “to have adequate expertise in cybersecurity or to maintain access to personnel with such expertise.”
“That raises the bar,” said Schwartz, “you’re talking about expertise in a highly complex, technical field … There could be substantial additional costs involved.”
The notice adds that regulators are considering a rule requiring chief information security officers “to be independent of business line management and have direct independent access to the board.”