January 2017
Financial
Services
Regulatory Alert
Recommended
immediate actions
Impacted institutions should
review the ANPR and evaluate, if
implemented as proposed, the range
of potential changes that would be
needed to your:
Cyber risk management strategy
Board and senior management
oversight and engagement
processes
Three-lines-of-defense approach to
cyber risk management
Business asset inventory, including
criticality assessments and
information flows
Vendor risk management strategy
Incident response and resilience
capabilities
Brief your board of directors and
executive management on the ANPR
and its potential implications to your
organization
Consider responding to the ANPR
during the comment period that ends
on February 17, 2017
Enhanced cyber
risk management
standards for financial
institutions
On Wednesday, October 19, 2016, the What is an Advanced
Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of the Notice of Proposed
Currency (OCC) and the Federal Reserve Rulemaking?
Board (FRB) (collectively, the agencies)
jointly announced enhanced cyber risk Industry participants are familiar with the
management standards for financial ANPR process, but many firms beyond
institutions in the form of an Advance financial services who could be affected
Notice of Proposed Rulemaking (ANPR). The may not be. An ANPR is a preliminary
ANPR outlines enhanced cybersecurity risk draft of proposed regulation. While not as
detailed or prescriptive as a final rule, it is
management and resilience standards that
would apply to large and interconnected intended to set out the main components of
entities under the agencies supervision. potential regulation and key open questions
regarding the content and scope of the
Put simply, the proposals would constitute proposal as a basis for consultation with the
the most significant and demanding industry and third parties supporting it.
standards relevant to cybersecurity applied
to major financial services firms operating The cyber ANPR outlines 39 distinct
questions on which the agencies are
in the United States, both banks and non-
seeking comments by February 17, 2017.
banking, including financial market utilities/
Comments can be sent to all or any of the
infrastructures (covered entities) and to the
services provided to them by their vendors, three agencies.
suppliers and other third parties (covered
services).
This Regulatory Alert outlines:
What is an Advance Notice of Proposed
Rulemaking?
What firms would be affected?
Why is the cyber ANPR so significant?
What are the key requirements?
How will the ANPR be implemented?
The agencies will then consider responses they receive and make
changes, as they see fit. They will then seek to issue actual proposed
regulation or guidance. See How will the ANPR be implemented? for
the three implementation options being considered by the agencies.
What firms would be affected? flows and interconnectedness among those assets.
The ANPR has considerable scope across financial services and
beyond. The core focus is financial institutions that are considered
systemically important to the financial services industry and the
economy at large. The proposed rule would be applicable to the
types of institution listed below on an enterprise-wide basis and
would complement, not replace, existing guidance such as the
National Institute of Standards and Technology (NIST) Cybersecurity
Framework (CSF).
Overall, the ANPR proposals would apply directly to:
US bank holding companies with total consolidated assets of $50b
or greater
US savings and loan holding companies with total consolidated
assets of $50b or greater:
All subsidiaries of the above holding companies are also covered
(non-depository subsidiaries will be regulated by the FRB;
depository subsidiaries by the OCC or FDIC as appropriate).
US national, state and state non-member depository institutions
with total assets of $50b or greater that are not subsidiaries of
holding companies
US operations of foreign banking organizations (FBOs) with total US
assets of $50b or greater
Any non-bank financial companies supervised by the FRB, such as
designated non-bank systemically important financial institutions
(SIFIs)
Designated financial market utilities (FMUs) and FRB-supervised
financial market infrastructures (FMIs)
However, the proposed standards could have broad impact well
beyond financial services. The proposals would apply to third-
party service providers with respect to services provided to the
covered entities, especially services that support sector-critical
systems. Third parties include outside vendors, suppliers, customers,
utilities (e.g., power and telecommunications), and other external
organizations and service providers, upon which the firms depend to
deliver services. Many of these firms would face considerably higher
standards if they desire to continue serving financial institutions that
are directly affected, if the proposals are adopted.
The cyber ANPR set outs a two-tiered set of enhanced standards:
Standards that apply to all covered entities and covered services
provided by third parties
Higher expectations for those systems deemed critical to be the
sector (sector-critical systems) and services that support those
systems
2 | Enhanced cyber risk management standards for financial institutions
Key definitions
Internal dependency: business assets (i.e., workforce,
data, technology and facilities) upon which the firm
depends to deliver services, as well as the information
Sources of such risks include insider threats, data
transmission errors and the use of legacy systems
acquired through a merger.
External dependency: Relationships with outside
vendors, suppliers, customers, utilities (e.g., power and
utilities), and other external organizations and service
providers, upon which it depends to deliver services, as
well as the information flows and interconnectedness
between the entity and the external parties. It is
crucial to manage interconnection risks associated
with non-critical external parties that maintain trusted
connections to important systems.
Embedding cyber risk across the
organization
The ANPR explicitly calls on firms to integrate
their formalized cyber risk management strategy,
and associated internal and external dependency
management strategies, into their overall strategic plans
and strategic risk management processes.
Implicitly, this would require firms to embed cyber risk
assessments into:
Due diligence and analysis regarding corporate
development and mergers, acquisitions and dispositions
The approval process for new products
FinTech initiatives and acquisitions
New digital platforms
Their alliance-partner relationships
Inevitably, this would require firms to incorporate
cyber risks into their stress testing and capital planning
processes, their material risk identification processes, and
their stress-test scenario design. Cyber risks would also
need to be covered in recovery and resolution plans.
Why is the cyber ANPR so significant? In effect, it would be more prescriptive than prior guidance
Financial services regulators have long issued interagency guidance
on information security, cybersecurity, and information technology,
particularly through the Federal Financial Institutions Examination
Council (FFIEC). To date, much of this has been guiding principles,
and not binding. It has been used by financial service supervisors and
financial institutions to guide their efforts to strengthen the industrys
cybersecurity efforts.
The new cyber ANPR is much more demanding. It stands apart for
four key reasons:
1. It is aimed at protecting the financial system, not just institutions.
2. In effect, it would be more prescriptive than prior guidance.
3. It sets out even more enhanced expectations for sector-critical
systems.
4. It calls for an enterprise-wide, three-lines-of-defense approach to
addressing cyber risks.
It is aimed at protecting the financial system, not just institutions
In light of fast-evolving threats, vulnerabilities and technologies, and
an ever-expanding and more sophisticated set of cyber attackers,
financial services regulators have greatly stepped up efforts to
strengthen financial institutions cybersecurity. Cross-industry forums
supported by the U.S. Department of the Treasury, such as the
Financial and Banking Information Infrastructure Committee (FIBIC),
have sought to enable collaboration across the public and private
sector. A major focus has been on critical infrastructures, of which
financial services is key. The efforts have, for the most part, focused
on helping individual firms strengthen their cybersecurity, through
guidance and information sharing.
The cyber ANPR takes this to another level. It purposefully takes
a view of cybersecurity across the financial system, elevating
the significance of understanding and actively managing the
interconnectedness within and across the financial service industry.
The proposals are not only aimed at the most systemic institutions
in the industry; they are focused on key players (network nodes) that
serve the industry.
The objective is clear: strengthen the sector, as well as the
institutions. The weakest link could affect the system, through
contagion.
Implications
Firms would be required to have a much deeper and more
comprehensive understanding of the role they play within their
ecosystems, their unique cyber risk profile across the ecosystem,
and critical dependencies on internal and external parties as a
result of the interconnectedness.
Enhanced cyber risk management standards for financial institutions |
While the proposals are principle based in fashion, they constitute
what would be, if implemented rigorously, relatively prescriptive
standards for impacted institutions.
For example, the proposals would require:
The board of directors to have deep knowledge in cybersecurity
or have direct access to relevant expertise from within or outside
the firm
Second-line risk functions to include cyber risk professionals with
direct and independent reporting lines to the board
A detailed board-approved cyber risk management strategy,
which includes strategies to cover internal and external
dependencies, to be directly linked to the firms broader strategic
risk and risk management strategies
A board-approved cyber risk appetite and tolerances, which
cover external and internal risks, that explicitly aim, over time, to
reduce aggregate institutional and sector-wide cyber risk
An inventory of all business assets and their criticality,
including mappings to other assets and business functions, reliance
on external parties, information flows and interconnections
Prioritizing resiliency, monitoring, resources and investment to
those systems deemed as sector critical
The ability to monitor in real time all external dependencies and
trusted connections that support a firms cyber risk management
strategy
Any one of those requirements would be very demanding for most
institutions. But together, their impact would be considerable.
Implications
Firms would have to fundamentally review and possibly
materially update their entire cyber risk management strategy
and governance.
It sets out even more enhanced expectations for sector-critical
systems
The ANPR has a major focus on what it calls sector-critical systems.
In defining these systems, the agencies draw on the Interagency
Paper on Sound Practices to Strengthen the Resilience of the U.S.
Financial System (issued in April 2003), by the FRB, the OCC, and the
U.S. Securities and Exchange Commission.
3
While the papers definition was limited to the resumption of
clearance and settlement activities in wholesale financial markets, the
agencies are considering whether systems should be sector critical if
they support the clearing or settlement of at least 5% of the value of
transactions (on a consistent basis):
In one or more of the markets for federal funds, foreign exchange,
commercial paper, US government and agency securities, and
corporate debt and equity securities
In other markets (for example, exchange-traded and over-the-
counter derivatives) that support the maintenance of a significant
share (for example, 5%) of the total US deposits or balances due
from other depository institutions in the United States
The agencies are considering additional factors to identify sector-
critical systems, such as substitutability and interconnectedness.
Systems that provide key functionality to the financial sector for
which alternatives are limited or nonexistent, or would take excessive
time to implement (for example, due to incompatibility), could have
a material impact on financial stability if they were significantly
disrupted. Systems that act as network nodes to the financial sector
due to their extensive interconnectedness to other financial entities
could also have a material impact on financial stability if significantly
disrupted.
The agencies propose requiring firms that have sector-critical systems
to establish and implement mechanisms to prioritize monitoring,
incident response and recovery of those systems. They also propose
a requirement that firms implement the most effective, commercially
available controls to minimize the residual cyber risk of sector-critical
systems.
In addition, firms with such systems would have to:
Establish a recovery time objective (RTO) of two hours for
sector-critical systems validated by testing to recover from a
disruptive, corruptive or destructive event
Establish protocols for secure, immutable, offline storage of
critical records, formatted using certain defined data standards
to allow for restoration of these records by another financial
institution and service provider, to cover the scenario that firms
cannot recover their sector-critical systems within two hours
Implement testing that would include a range of scenarios,
including severe but plausible scenarios, and that should
address matters such as communications protocols, governance
arrangements, and resumption and recovery practices
At the bank holding company level, measure their ability to
reduce the aggregate residual cyber risk of their sector-critical
systems and their ability to reduce such risk to a minimal level
4 | Enhanced cyber risk management standards for financial institutions
Implications
Firms would have to determine if any of their systems could be
deemed sector-critical and, if so, evaluate the impact of having to
meet considerably more demanding recovery time requirements
for those systems, and the impact of having to prioritize those
systems over other systems. Firms existing approaches to
testing their systems may also require strengthening.
It calls for an enterprise-wide, three-lines-of-defense approach to
addressing cyber risks
Since the financial crisis, financial services regulators have
increasingly sought to compel regulated institutions to have a fully
functioning three-lines-of-defense approach to risk management.
This model depends on first-line, or business-unit, accountability for
managing all risk, financial and nonfinancial; second-line oversight
of aggregate enterprise-wide risks and independent challenge of
the first line; and third-line internal audit assurance of the overall
risk governance approach. Above the three lines, regulators have
demanded that an active, engaged, knowledgeable board of directors
oversees the firm especially senior management and provides
credible effective challenge.
The cyber ANPR explicitly outlines requirements that apply that
model to cyber risks:
The board of directors would have to approve a written cyber
risk management strategy and approve a specific risk appetite
and tolerances for cyber risks. The board should hold senior
management accountable for implementing the strategy and
managing the firm within the approved risk appetite. The board
will need the right skills and resources to execute this enhanced
oversight role.
The first line business units would be expected, among
other responsibilities, to assess, on an ongoing basis, cyber risks
associated with business unit activities and potential vulnerabilities
associated with every business asset, service and IT connection
points. Business units should also identify, measure, monitor and
control cyber risks consistent with the firms approved risk appetite
and tolerances.
The second line risk management and compliance
would be expected, among other responsibilities, to report on
implementation of firms cyber risk management framework. It
should also analyze cyber risk at the enterprise level to identify and
monitor effective response to events with the potential to impact
one or multiple operating units. The second line should identify and
assess the firms material aggregate risks and determine whether
actions need to be taken to strengthen risk management or reduce
risk given changes in the firms risk profile or other conditions, with
a particular emphasis on sector-critical systems. In addition, the
second line should validate compliance with the firms cyber risk
management framework and that the framework is compliant with
applicable laws and regulations.
 The third line internal audit would be expected to, among
other responsibilities, assess whether the cyber risk management
framework complies with applicable laws and regulations and is
appropriate for its size, complexity, interconnectedness and risk
profile. Internal audit would also incorporate an assessment of
the design and operating effectiveness of the firms cyber risk
management approach into its overall audit plan.
Implications
Firms will have to review and revise organization structures;
roles and responsibilities; resourcing; and strategies, policies,
procedures and plans across the three lines of defense. Firms
would also have to review and potentially revise board-level
governance. board of directors, as appropriate, when its assessment of cyber
What are the key requirements? of compliance with board-approved cyber risk management
The standards would be organized in five categories:
1. Cyber risk governance
2. Cyber risk management
3. Internal dependency management
4. External dependency management
5. Incident response, cyber resilience, situational awareness (i.e.,
threat intelligence)
1. Cyber risk governance
In the ANPR, the agencies seek to apply enhanced standards for
corporate governance and risk governance to firms cybersecurity
approaches. The ANPR calls for strong board oversight.
Proposals include requiring firms to:
Develop and maintain a written, board-approved, enterprise-wide
cyber risk management strategy that is integrated into strategic
plans and risk management structures and that articulates how
firms:
Address inherent cyber risk (i.e., cyber risk before mitigating
controls or other considerations)
Maintain an acceptable level of residual risk (i.e., cyber risk after
mitigating controls or other considerations)
Maintain resilience on an ongoing basis
Establish a framework of policies and procedures to implement
strategy and cyber risk tolerances consistent with the firms risk
appetite and strategy
Manage cyber risk appropriate to nature of firms operations,
manage residual cyber risk to level approved by board
Enhanced cyber risk management standards for financial institutions |
2. Cyber risk management
As noted above, the ANPR sets out expansive requirements on the
first, second and third lines of defense. In addition to the issues noted
above, the proposals would require the:
First line to maintain, or have access to, resources and staff
with the right skill-set to meets the business units cybersecurity
responsibilities and to report to senior management (including the
CEO), in a timely manner, so management can react appropriately
to emerging cyber risks and incidents
Second line to have executives responsible for cyber risk oversight
(e.g., chief information security officers) independent of business
line management, who should have sufficient independence,
stature, authority and resources and should report to the CEO and
risks differs from that of the first-line business unit or when a unit
exceeds the firms established cyber risk tolerances
Third line to have audit plans that evaluate the adequacy
framework and that cover the entire security life cycle, including
penetration testing and other vulnerability assessment activities
3. Internal dependency management
Firms would have to integrate an explicit internal dependency
management strategy (IDMS) into the firms overall strategic and
cyber risk management plans.
The IDMS would, among other items, require firms to have:
Effective capabilities to identify and manage cyber risks associated
with their business assets throughout their lifespans and to
continually assess and improve, as necessary, their ability to reduce
the cyber risks associated with internal dependencies on enterprise-
wide basis
A current and complete awareness of all internal assets and
business functions that support the firms cyber risk management
strategy, which should be mapped to other assets and business
functions, information flows, and interconnections
An inventory of all business assets on an enterprise-wide basis,
prioritized by their criticality to the business functions they support,
the firms mission and the financial sector
Track connections among assets and cyber risk levels
throughout assets life cycles using relevant data and analysis
across the firm
Appropriate controls to address inherent cyber risk in the firms
assets, taking into account prioritization of firms assets and the
cyber risks they pose to the firm, by:
Assessing the cyber risks of assets and their operating
environment prior to deployment
Continually applying controls and monitoring assets and their
operating environments (including deviations from baseline
cybersecurity configurations) over the assets life cycles
5
 Assessing relevant cyber risks to the assets (e.g., insider threats
to systems and data) and mitigating identified deviations, granted
exemptions and known violations to internal dependent cyber
risk management policies, standards and procedures
4. External dependency management
With regard to external dependencies, firms would have to integrate
an explicit external dependency management strategy (EDMS)
strategy into firms strategic and cyber risk management plans.
The EDMS would, among other items, require firms to have:
Effective capabilities in place to identify and manage cyber risks
associated with external dependencies and interconnection
risks throughout these relationships, and continually assess and
improve, as necessary, their effectiveness in reducing cyber risks
associated with external dependencies and interconnection risks
enterprise-wide
The ability to monitor in real time all external dependencies and
trusted connections that support a firms cyber risk management
strategy
A current, accurate and complete awareness of all external
dependencies and trusted connections enterprise-wide,
prioritized based on their criticality to the business functions they
support, including mappings to supported assets and business
function
The ability to monitor the universe of external dependencies
that connect to assets supporting systems critical to the firm
and sector, and track connections among external dependencies,
organizational assets, and cyber risks throughout their lifespans
Tracking capabilities that enable timely notification of cyber risk
management issues to designated stakeholders
5. Incident response, cyber resilience, situational awareness (i.e.,
threat intelligence)
The agencies want firms to plan for, respond to, contain and rapidly
recover from disruptions caused by cyber incidents, thereby
strengthening their cyber resilience and the sector. The agencies also
want firms that are capable of operating critical business functions in
face of attacks and of continuously enhancing cyber resilience.
As such, the proposals require, among other matters, that firms:
Establish processes designed to maintain effective situational
awareness capabilities to reliably predict, analyze and respond
to changes in operating environment and to maintain effective
incident response and cyber resilience governance, strategies and
capacities that enable the organizations to anticipate, withstand,
contain and rapidly recover from a disruption:
This includes ongoing situational awareness of operational
status and cybersecurity posture to preempt cyber events and
respond rapidly to them, establishing and maintaining profiles
for identified threats to the firm, gathering actionable cyber
intelligence and performing ongoing security analytics, and
capabilities for ongoing vulnerability management and threat
modeling.
6 | Enhanced cyber risk management standards for financial institutions
Establish and maintain enterprise-wide cyber resilience and
incident response programs, to include escalation protocols linked
to organizational decision levels, cyber contagion containment
procedures and communication strategies; processes to incorporate
lessons learned back into the program; and cyber resilience
strategies and exercises that consider wide-scale recovery
scenarios designed to achieve institutional resilience, support for
the sector-wide resilience, and minimize risks from interconnected
parties
Establish and implement strategies to meet the firms obligations
for performing core business functions in the event of
disruption, including the potential for multiple concurrent or
widespread interruptions and cyber attacks on various elements
of interconnected critical infrastructure, e.g., energy and
telecommunications
Establish protocols for secure, immutable, offline storage of
critical records, including financial records of the institution,
loan data, asset management account information and daily
deposit account records, including balances and ownership details,
formatted using certain defined data standards to allow for
restoration of these records by another financial institution, service
provider or the FDIC in the event of resolution of the firm
Conduct testing that addresses a disruptive, destructive,
corruptive or another cyber event that could affect the ability to
service clients and incur significant downtime that would affect the
business resilience of clients; such testing would:
Address external interdependencies (e.g., connectivity to
markets, payment systems, clearing entities, messaging services
and other critical partners)
Be undertaken jointly where critical dependencies exist
Validate the effectiveness of internal and external communication
protocols with stakeholders
How will the ANPR be implemented?
Within the questions posed, the agencies seek views on how the
proposal should be implemented, i.e., policy statement versus
detailed regulation. They offer three approaches, from the least to
most prescriptive:
1. Combination of a regulatory requirement to maintain a risk
management framework for cyber risks along with a policy
statement or guidance that describes minimum expectations for
the framework.
2. Specific cyber risk management standards (e.g., requirement
for entities to establish a cybersecurity framework), which would
cover the five categories noted above. For each category, the
firm would have to establish and maintain policies, procedures,
practices, controls, personnel and systems, as well as a corporate
governance structure that supports implementation of, and
compliance with, the program enterprise-wide, and necessary
changes to the program due to the firms evolving risk profile.
3. A regulatory framework that is more detailed than approach #2,
detailing specific objectives and practices covered entities would
have to achieve for each of the five categories so that they can
demonstrate compliance with the requirements.

The agencies are seeking comments on the proposals by February 17,

2017. Contacts details for each agency can be found on the ANPR.
Firms are encouraged to read the detailed proposals with a view to
considering whether they should respond to the questions outlined in
the ANPR. Impacted firms that wish to have input to the consultative
process are advised to respond to this ANPR.

EY Contacts
John Doherty Matt Moog
+1 212 773 2734 +1 212 773 2096
john.doherty@ey.com matthew.moog@ey.com

Jaime Kahan Tom Campanile

+1 212 773 7755 +1 212 773 8461
jaime.kahan@ey.com thomas.campanile@ey.com

Chris Kipphut Cindy Doe

+1 704 338 0491 +1 617 375 4558
chris.kipphut1@ey.com cynthia.doe@ey.com

Ertem Osmanoglu Dan Costa

+1 212 773 3520 +1 212 773 5877
ertem.osmanoglu@ey.com dan.costa@ey.com

Mark Watson Samir Nangea

+1 617 305 2217 +1 212 773 6742
mark.watson@ey.com samir.nangea@ey.com

Paul Sussex Scott Waterhouse

+1 212 773 2802 +1 212 773 9974
paul.sussex@ey.com scott.waterhouse@ey.com

Enhanced cyber risk management standards for financial institutions | 7

EY | Assurance | Tax | Transactions | Advisory

About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world over.
We develop outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical role in building
a better working world for our people, for our clients and for our
communities.

EY refers to the global organization, and may refer to one or more, of

the member firms of Ernst & Young Global Limited, each of which is
a separate legal entity. Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young
Global Limited operating in the US.

2017 EYGM Limited.

All Rights Reserved.

This material has been prepared for general informational purposes only and
is not intended to be relied upon as accounting, tax or other professional
advice. Please refer to your advisors for specific advice.

ey.com/cyberanpr

SCORE no. 03562-161US

1701-2184383 BDFSO
ED None