Documente Academic
Documente Profesional
Documente Cultură
Financial
Services
Enhanced cyber
Regulatory Alert
risk management
standards for financial
institutions
Any non-bank financial companies supervised by the FRB, such as Embedding cyber risk across the
designated non-bank systemically important financial institutions
(SIFIs) organization
Designated financial market utilities (FMUs) and FRB-supervised The ANPR explicitly calls on firms to integrate
financial market infrastructures (FMIs) their formalized cyber risk management strategy,
and associated internal and external dependency
However, the proposed standards could have broad impact well management strategies, into their overall strategic plans
beyond financial services. The proposals would apply to third- and strategic risk management processes.
party service providers with respect to services provided to the
covered entities, especially services that support sector-critical Implicitly, this would require firms to embed cyber risk
systems. Third parties include outside vendors, suppliers, customers, assessments into:
utilities (e.g., power and telecommunications), and other external Due diligence and analysis regarding corporate
organizations and service providers, upon which the firms depend to development and mergers, acquisitions and dispositions
deliver services. Many of these firms would face considerably higher
standards if they desire to continue serving financial institutions that The approval process for new products
are directly affected, if the proposals are adopted. FinTech initiatives and acquisitions
The cyber ANPR set outs a two-tiered set of enhanced standards: New digital platforms
Standards that apply to all covered entities and covered services Their alliance-partner relationships
provided by third parties
Inevitably, this would require firms to incorporate
Higher expectations for those systems deemed critical to be the cyber risks into their stress testing and capital planning
sector (sector-critical systems) and services that support those processes, their material risk identification processes, and
systems their stress-test scenario design. Cyber risks would also
need to be covered in recovery and resolution plans.
Financial services regulators have long issued interagency guidance While the proposals are principle based in fashion, they constitute
on information security, cybersecurity, and information technology, what would be, if implemented rigorously, relatively prescriptive
particularly through the Federal Financial Institutions Examination standards for impacted institutions.
Council (FFIEC). To date, much of this has been guiding principles, For example, the proposals would require:
and not binding. It has been used by financial service supervisors and
financial institutions to guide their efforts to strengthen the industrys The board of directors to have deep knowledge in cybersecurity
cybersecurity efforts. or have direct access to relevant expertise from within or outside
the firm
The new cyber ANPR is much more demanding. It stands apart for
four key reasons: Second-line risk functions to include cyber risk professionals with
direct and independent reporting lines to the board
1. It is aimed at protecting the financial system, not just institutions.
A detailed board-approved cyber risk management strategy,
2. In effect, it would be more prescriptive than prior guidance. which includes strategies to cover internal and external
3. It sets out even more enhanced expectations for sector-critical dependencies, to be directly linked to the firms broader strategic
systems. risk and risk management strategies
4. It calls for an enterprise-wide, three-lines-of-defense approach to A board-approved cyber risk appetite and tolerances, which
addressing cyber risks. cover external and internal risks, that explicitly aim, over time, to
reduce aggregate institutional and sector-wide cyber risk
It is aimed at protecting the financial system, not just institutions
An inventory of all business assets and their criticality,
In light of fast-evolving threats, vulnerabilities and technologies, and including mappings to other assets and business functions, reliance
an ever-expanding and more sophisticated set of cyber attackers, on external parties, information flows and interconnections
financial services regulators have greatly stepped up efforts to
strengthen financial institutions cybersecurity. Cross-industry forums Prioritizing resiliency, monitoring, resources and investment to
supported by the U.S. Department of the Treasury, such as the those systems deemed as sector critical
Financial and Banking Information Infrastructure Committee (FIBIC), The ability to monitor in real time all external dependencies and
have sought to enable collaboration across the public and private trusted connections that support a firms cyber risk management
sector. A major focus has been on critical infrastructures, of which strategy
financial services is key. The efforts have, for the most part, focused
on helping individual firms strengthen their cybersecurity, through Any one of those requirements would be very demanding for most
guidance and information sharing. institutions. But together, their impact would be considerable.
The objective is clear: strengthen the sector, as well as the It sets out even more enhanced expectations for sector-critical
institutions. The weakest link could affect the system, through systems
contagion.
The ANPR has a major focus on what it calls sector-critical systems.
In defining these systems, the agencies draw on the Interagency
Implications Paper on Sound Practices to Strengthen the Resilience of the U.S.
Financial System (issued in April 2003), by the FRB, the OCC, and the
Firms would be required to have a much deeper and more U.S. Securities and Exchange Commission.
comprehensive understanding of the role they play within their
ecosystems, their unique cyber risk profile across the ecosystem,
and critical dependencies on internal and external parties as a
result of the interconnectedness.
The agencies are considering additional factors to identify sector- Since the financial crisis, financial services regulators have
critical systems, such as substitutability and interconnectedness. increasingly sought to compel regulated institutions to have a fully
Systems that provide key functionality to the financial sector for functioning three-lines-of-defense approach to risk management.
which alternatives are limited or nonexistent, or would take excessive This model depends on first-line, or business-unit, accountability for
time to implement (for example, due to incompatibility), could have managing all risk, financial and nonfinancial; second-line oversight
a material impact on financial stability if they were significantly of aggregate enterprise-wide risks and independent challenge of
disrupted. Systems that act as network nodes to the financial sector the first line; and third-line internal audit assurance of the overall
due to their extensive interconnectedness to other financial entities risk governance approach. Above the three lines, regulators have
could also have a material impact on financial stability if significantly demanded that an active, engaged, knowledgeable board of directors
disrupted. oversees the firm especially senior management and provides
credible effective challenge.
The agencies propose requiring firms that have sector-critical systems
to establish and implement mechanisms to prioritize monitoring, The cyber ANPR explicitly outlines requirements that apply that
incident response and recovery of those systems. They also propose model to cyber risks:
a requirement that firms implement the most effective, commercially The board of directors would have to approve a written cyber
available controls to minimize the residual cyber risk of sector-critical risk management strategy and approve a specific risk appetite
systems. and tolerances for cyber risks. The board should hold senior
In addition, firms with such systems would have to: management accountable for implementing the strategy and
managing the firm within the approved risk appetite. The board
Establish a recovery time objective (RTO) of two hours for will need the right skills and resources to execute this enhanced
sector-critical systems validated by testing to recover from a oversight role.
disruptive, corruptive or destructive event
The first line business units would be expected, among
Establish protocols for secure, immutable, offline storage of other responsibilities, to assess, on an ongoing basis, cyber risks
critical records, formatted using certain defined data standards associated with business unit activities and potential vulnerabilities
to allow for restoration of these records by another financial associated with every business asset, service and IT connection
institution and service provider, to cover the scenario that firms points. Business units should also identify, measure, monitor and
cannot recover their sector-critical systems within two hours control cyber risks consistent with the firms approved risk appetite
Implement testing that would include a range of scenarios, and tolerances.
including severe but plausible scenarios, and that should The second line risk management and compliance
address matters such as communications protocols, governance would be expected, among other responsibilities, to report on
arrangements, and resumption and recovery practices implementation of firms cyber risk management framework. It
At the bank holding company level, measure their ability to should also analyze cyber risk at the enterprise level to identify and
reduce the aggregate residual cyber risk of their sector-critical monitor effective response to events with the potential to impact
systems and their ability to reduce such risk to a minimal level one or multiple operating units. The second line should identify and
assess the firms material aggregate risks and determine whether
actions need to be taken to strengthen risk management or reduce
risk given changes in the firms risk profile or other conditions, with
a particular emphasis on sector-critical systems. In addition, the
second line should validate compliance with the firms cyber risk
management framework and that the framework is compliant with
applicable laws and regulations.
Firms will have to review and revise organization structures; Second line to have executives responsible for cyber risk oversight
roles and responsibilities; resourcing; and strategies, policies, (e.g., chief information security officers) independent of business
procedures and plans across the three lines of defense. Firms line management, who should have sufficient independence,
would also have to review and potentially revise board-level stature, authority and resources and should report to the CEO and
governance. board of directors, as appropriate, when its assessment of cyber
risks differs from that of the first-line business unit or when a unit
exceeds the firms established cyber risk tolerances
The EDMS would, among other items, require firms to have: Establish and implement strategies to meet the firms obligations
for performing core business functions in the event of
Effective capabilities in place to identify and manage cyber risks
disruption, including the potential for multiple concurrent or
associated with external dependencies and interconnection
widespread interruptions and cyber attacks on various elements
risks throughout these relationships, and continually assess and
of interconnected critical infrastructure, e.g., energy and
improve, as necessary, their effectiveness in reducing cyber risks
telecommunications
associated with external dependencies and interconnection risks
enterprise-wide Establish protocols for secure, immutable, offline storage of
critical records, including financial records of the institution,
The ability to monitor in real time all external dependencies and
loan data, asset management account information and daily
trusted connections that support a firms cyber risk management
deposit account records, including balances and ownership details,
strategy
formatted using certain defined data standards to allow for
A current, accurate and complete awareness of all external restoration of these records by another financial institution, service
dependencies and trusted connections enterprise-wide, provider or the FDIC in the event of resolution of the firm
prioritized based on their criticality to the business functions they
Conduct testing that addresses a disruptive, destructive,
support, including mappings to supported assets and business
corruptive or another cyber event that could affect the ability to
function
service clients and incur significant downtime that would affect the
The ability to monitor the universe of external dependencies business resilience of clients; such testing would:
that connect to assets supporting systems critical to the firm
Address external interdependencies (e.g., connectivity to
and sector, and track connections among external dependencies,
markets, payment systems, clearing entities, messaging services
organizational assets, and cyber risks throughout their lifespans
and other critical partners)
Tracking capabilities that enable timely notification of cyber risk
Be undertaken jointly where critical dependencies exist
management issues to designated stakeholders
Validate the effectiveness of internal and external communication
5. Incident response, cyber resilience, situational awareness (i.e.,
protocols with stakeholders
threat intelligence)
The agencies want firms to plan for, respond to, contain and rapidly
recover from disruptions caused by cyber incidents, thereby How will the ANPR be implemented?
strengthening their cyber resilience and the sector. The agencies also
Within the questions posed, the agencies seek views on how the
want firms that are capable of operating critical business functions in
proposal should be implemented, i.e., policy statement versus
face of attacks and of continuously enhancing cyber resilience.
detailed regulation. They offer three approaches, from the least to
As such, the proposals require, among other matters, that firms: most prescriptive:
Establish processes designed to maintain effective situational 1. Combination of a regulatory requirement to maintain a risk
awareness capabilities to reliably predict, analyze and respond management framework for cyber risks along with a policy
to changes in operating environment and to maintain effective statement or guidance that describes minimum expectations for
incident response and cyber resilience governance, strategies and the framework.
capacities that enable the organizations to anticipate, withstand,
2. Specific cyber risk management standards (e.g., requirement
contain and rapidly recover from a disruption:
for entities to establish a cybersecurity framework), which would
This includes ongoing situational awareness of operational cover the five categories noted above. For each category, the
status and cybersecurity posture to preempt cyber events and firm would have to establish and maintain policies, procedures,
respond rapidly to them, establishing and maintaining profiles practices, controls, personnel and systems, as well as a corporate
for identified threats to the firm, gathering actionable cyber governance structure that supports implementation of, and
intelligence and performing ongoing security analytics, and compliance with, the program enterprise-wide, and necessary
capabilities for ongoing vulnerability management and threat changes to the program due to the firms evolving risk profile.
modeling.
EY Contacts
John Doherty Matt Moog
+1 212 773 2734 +1 212 773 2096
john.doherty@ey.com matthew.moog@ey.com
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world over.
We develop outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical role in building
a better working world for our people, for our clients and for our
communities.
Ernst & Young LLP is a client-serving member firm of Ernst & Young
Global Limited operating in the US.
This material has been prepared for general informational purposes only and
is not intended to be relied upon as accounting, tax or other professional
advice. Please refer to your advisors for specific advice.
ey.com/cyberanpr