James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...
Implement enhanced cyber risk standards
1. Recommended
immediate actions
• Impacted institutions should
review the ANPR and evaluate, if
implemented as proposed, the range
of potential changes that would be
needed to your:
• Cyber risk management strategy
• Board and senior management
oversight and engagement
processes
• Three-lines-of-defense approach to
cyber risk management
• Business asset inventory, including
criticality assessments and
information flows
• Vendor risk management strategy
• Incident response and resilience
capabilities
• Brief your board of directors and
executive management on the ANPR
and its potential implications to your
organization
• Consider responding to the ANPR
during the comment period that ends
on January 17, 2017
October 2016
Financial
Services
Regulatory Alert
On Wednesday, October 19, 2016, the
Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of the
Currency (OCC) and the Federal Reserve
Board (FRB) (collectively, the agencies)
jointly announced enhanced cyber risk
management standards for financial
institutions in the form of an Advance
Notice of Proposed Rulemaking (ANPR). The
ANPR outlines enhanced cybersecurity risk
management and resilience standards that
would apply to large and interconnected
entities under the agencies’ supervision.
Put simply, the proposals would constitute
the most significant and demanding
standards relevant to cybersecurity applied
to major financial services firms operating
in the United States, both banks and non-
banking, including financial market utilities/
infrastructures (covered entities) and to the
services provided to them by their vendors,
suppliers and other third parties (covered
services).
This Regulatory Alert outlines:
• What is an Advance Notice of Proposed
Rulemaking?
• What firms would be affected?
• Why is the cyber ANPR so significant?
• What are the key requirements?
• How will the ANPR be implemented?
What is an Advanced
Notice of Proposed
Rulemaking?
Industry participants are familiar with the
ANPR process, but many firms beyond
financial services who could be affected
may not be. An ANPR is a preliminary
draft of proposed regulation. While not as
detailed or prescriptive as a final rule, it is
intended to set out the main components of
potential regulation and key open questions
regarding the content and scope of the
proposal as a basis for consultation with the
industry and third parties supporting it.
The cyber ANPR outlines 39 distinct
questions on which the agencies are
seeking comments by January 17, 2017.
Comments can be sent to all or any of the
three agencies.
Enhanced cyber
risk management
standards for financial
institutions
2. 2 | Enhanced cyber risk management standards for financial institutions
The agencies will then consider responses they receive and make
changes, as they see fit. They will then seek to issue actual proposed
regulation or guidance. See “How will the ANPR be implemented?” for
the three implementation options being considered by the agencies.
What firms would be affected?
The ANPR has considerable scope across financial services and
beyond. The core focus is financial institutions that are considered
systemically important to the financial services industry and the
economy at large. The proposed rule would be applicable to the
types of institution listed below on an enterprise-wide basis and
would complement, not replace, existing guidance such as the
National Institute of Standards and Technology (NIST) Cybersecurity
Framework (CSF).
Overall, the ANPR proposals would apply directly to:
• US bank holding companies with total consolidated assets of $50b
or greater
• US savings and loan holding companies with total consolidated
assets of $50b or greater:
• All subsidiaries of the above holding companies are also covered
(non-depository subsidiaries will be regulated by the FRB;
depository subsidiaries by the OCC or FDIC as appropriate).
• US national, state and state non-member depository institutions
with total assets of $50b or greater that are not subsidiaries of
holding companies
• US operations of foreign banking organizations (FBOs) with total US
assets of $50b or greater
• Any non-bank financial companies supervised by the FRB, such as
designated non-bank systemically important financial institutions
(SIFIs)
• Designated financial market utilities (FMUs) and FRB-supervised
financial market infrastructures (FMIs)
However, the proposed standards could have broad impact well
beyond financial services. The proposals would apply to third-
party service providers with respect to services provided to the
covered entities, especially services that support sector-critical
systems. Third parties include outside vendors, suppliers, customers,
utilities (e.g., power and telecommunications), and other external
organizations and service providers, upon which the firms depend to
deliver services. Many of these firms would face considerably higher
standards if they desire to continue serving financial institutions that
are directly affected, if the proposals are adopted.
The cyber ANPR set outs a two-tiered set of enhanced standards:
• Standards that apply to all covered entities and covered services
provided by third parties
• Higher expectations for those systems deemed critical to be the
sector (sector-critical systems) and services that support those
systems
Key definitions
• Internal dependency: business assets (i.e., workforce,
data, technology and facilities) upon which the firm
depends to deliver services, as well as the information
flows and interconnectedness among those assets.
Sources of such risks include insider threats, data
transmission errors and the use of legacy systems
acquired through a merger.
• External dependency: Relationships with outside
vendors, suppliers, customers, utilities (e.g., power and
utilities), and other external organizations and service
providers, upon which it depends to deliver services, as
well as the information flows and interconnectedness
between the entity and the external parties. It is
crucial to manage interconnection risks associated
with non-critical external parties that maintain trusted
connections to important systems.
Embedding cyber risk across the
organization
The ANPR explicitly calls on firms to integrate
their formalized cyber risk management strategy,
and associated internal and external dependency
management strategies, into their overall strategic plans
and strategic risk management processes.
Implicitly, this would require firms to embed cyber risk
assessments into:
• Due diligence and analysis regarding corporate
development and mergers, acquisitions and dispositions
• The approval process for new products
• FinTech initiatives and acquisitions
• New digital platforms
• Their alliance-partner relationships
Inevitably, this would require firms to incorporate
cyber risks into their stress testing and capital planning
processes, their material risk identification processes, and
their stress-test scenario design. Cyber risks would also
need to be covered in recovery and resolution plans.
3. 3Enhanced cyber risk management standards for financial institutions |
Why is the cyber ANPR so significant?
Financial services regulators have long issued interagency guidance
on information security, cybersecurity, and information technology,
particularly through the Federal Financial Institutions Examination
Council (FFIEC). To date, much of this has been guiding principles,
and not binding. It has been used by financial service supervisors and
financial institutions to guide their efforts to strengthen the industry’s
cybersecurity efforts.
The new cyber ANPR is much more demanding. It stands apart for
four key reasons:
1. It is aimed at protecting the financial system, not just institutions.
2. In effect, it would be more prescriptive than prior guidance.
3. It sets out even more enhanced expectations for sector-critical
systems.
4. It calls for an enterprise-wide, three-lines-of-defense approach to
addressing cyber risks.
It is aimed at protecting the financial system, not just institutions
In light of fast-evolving threats, vulnerabilities and technologies, and
an ever-expanding and more sophisticated set of cyber attackers,
financial services regulators have greatly stepped up efforts to
strengthen financial institutions’ cybersecurity. Cross-industry forums
supported by the U.S. Department of the Treasury, such as the
Financial and Banking Information Infrastructure Committee (FIBIC),
have sought to enable collaboration across the public and private
sector. A major focus has been on critical infrastructures, of which
financial services is key. The efforts have, for the most part, focused
on helping individual firms strengthen their cybersecurity, through
guidance and information sharing.
The cyber ANPR takes this to another level. It purposefully takes
a view of cybersecurity across the financial system, elevating
the significance of understanding and actively managing the
interconnectedness within and across the financial service industry.
The proposals are not only aimed at the most systemic institutions
in the industry; they are focused on key players (network nodes) that
serve the industry.
The objective is clear: strengthen the sector, as well as the
institutions. The weakest link could affect the system, through
contagion.
Implications
Firms would be required to have a much deeper and more
comprehensive understanding of the role they play within their
ecosystems, their unique cyber risk profile across the ecosystem,
and critical dependencies on internal and external parties as a
result of the interconnectedness.
In effect, it would be more prescriptive than prior guidance
While the proposals are principle based in fashion, they constitute
what would be, if implemented rigorously, relatively prescriptive
standards for impacted institutions.
For example, the proposals would require:
• The board of directors to have deep knowledge in cybersecurity
or have direct access to relevant expertise from within or outside
the firm
• Second-line risk functions to include cyber risk professionals with
direct and independent reporting lines to the board
• A detailed board-approved cyber risk management strategy,
which includes strategies to cover internal and external
dependencies, to be directly linked to the firm’s broader strategic
risk and risk management strategies
• A board-approved cyber risk appetite and tolerances, which
cover external and internal risks, that explicitly aim, over time, to
reduce aggregate institutional and sector-wide cyber risk
• An inventory of all business assets and their criticality,
including mappings to other assets and business functions, reliance
on external parties, information flows and interconnections
• Prioritizing resiliency, monitoring, resources and investment to
those systems deemed as sector critical
• The ability to monitor in real time all external dependencies and
trusted connections that support a firm’s cyber risk management
strategy
Any one of those requirements would be very demanding for most
institutions. But together, their impact would be considerable.
Implications
Firms would have to fundamentally review and possibly
materially update their entire cyber risk management strategy
and governance.
It sets out even more enhanced expectations for sector-critical
systems
The ANPR has a major focus on what it calls “sector-critical systems.”
In defining these systems, the agencies draw on the Interagency
Paper on Sound Practices to Strengthen the Resilience of the U.S.
Financial System (issued in April 2003), by the FRB, the OCC, and the
U.S. Securities and Exchange Commission.
4. 4 | Enhanced cyber risk management standards for financial institutions
While the paper’s definition was limited to the resumption of
clearance and settlement activities in wholesale financial markets, the
agencies are considering whether systems should be sector critical if
they support the clearing or settlement of at least 5% of the value of
transactions (on a consistent basis):
• In one or more of the markets for federal funds, foreign exchange,
commercial paper, US government and agency securities, and
corporate debt and equity securities
• In other markets (for example, exchange-traded and over-the-
counter derivatives) that support the maintenance of a significant
share (for example, 5%) of the total US deposits or balances due
from other depository institutions in the United States
The agencies are considering additional factors to identify sector-
critical systems, such as substitutability and interconnectedness.
Systems that provide key functionality to the financial sector for
which alternatives are limited or nonexistent, or would take excessive
time to implement (for example, due to incompatibility), could have
a material impact on financial stability if they were significantly
disrupted. Systems that act as network nodes to the financial sector
due to their extensive interconnectedness to other financial entities
could also have a material impact on financial stability if significantly
disrupted.
The agencies propose requiring firms that have sector-critical systems
to establish and implement mechanisms to prioritize monitoring,
incident response and recovery of those systems. They also propose
a requirement that firms implement the most effective, commercially
available controls to minimize the residual cyber risk of sector-critical
systems.
In addition, firms with such systems would have to:
• Establish a recovery time objective (RTO) of two hours for
sector-critical systems — validated by testing — to recover from a
disruptive, corruptive or destructive event
• Establish protocols for secure, immutable, offline storage of
critical records, formatted using certain defined data standards
to allow for restoration of these records by another financial
institution and service provider, to cover the scenario that firms
cannot recover their sector-critical systems within two hours
• Implement testing that would include a range of scenarios,
including severe but plausible scenarios, and that should
address matters such as communications protocols, governance
arrangements, and resumption and recovery practices
• At the bank holding company level, measure their ability to
reduce the aggregate residual cyber risk of their sector-critical
systems and their ability to reduce such risk to a minimal level
Implications
Firms would have to determine if any of their systems could be
deemed sector-critical and, if so, evaluate the impact of having to
meet considerably more demanding recovery time requirements
for those systems, and the impact of having to prioritize those
systems over other systems. Firms’ existing approaches to
testing their systems may also require strengthening.
It calls for an enterprise-wide, three-lines-of-defense approach to
addressing cyber risks
Since the financial crisis, financial services regulators have
increasingly sought to compel regulated institutions to have a fully
functioning three-lines-of-defense approach to risk management.
This model depends on first-line, or business-unit, accountability for
managing all risk, financial and nonfinancial; second-line oversight
of aggregate enterprise-wide risks and independent challenge of
the first line; and third-line — internal audit— assurance of the overall
risk governance approach. Above the three lines, regulators have
demanded that an active, engaged, knowledgeable board of directors
oversees the firm –—especially senior management — and provides
credible effective challenge.
The cyber ANPR explicitly outlines requirements that apply that
model to cyber risks:
• The board of directors would have to approve a written cyber
risk management strategy and approve a specific risk appetite
and tolerances for cyber risks. The board should hold senior
management accountable for implementing the strategy and
managing the firm within the approved risk appetite. The board
will need the right skills and resources to execute this enhanced
oversight role.
• The first line — business units — would be expected, among
other responsibilities, to assess, on an ongoing basis, cyber risks
associated with business unit activities and potential vulnerabilities
associated with every business asset, service and IT connection
points. Business units should also identify, measure, monitor and
control cyber risks consistent with the firm’s approved risk appetite
and tolerances.
• The second line — risk management and compliance —
would be expected, among other responsibilities, to report on
implementation of firm’s cyber risk management framework. It
should also analyze cyber risk at the enterprise level to identify and
monitor effective response to events with the potential to impact
one or multiple operating units. The second line should identify and
assess the firm’s material aggregate risks and determine whether
actions need to be taken to strengthen risk management or reduce
risk given changes in the firm’s risk profile or other conditions, with
a particular emphasis on sector-critical systems. In addition, the
second line should validate compliance with the firm’s cyber risk
management framework and that the framework is compliant with
applicable laws and regulations.
5. 5Enhanced cyber risk management standards for financial institutions |
• The third line — internal audit — would be expected to, among
other responsibilities, assess whether the cyber risk management
framework complies with applicable laws and regulations and is
appropriate for its size, complexity, interconnectedness and risk
profile. Internal audit would also incorporate an assessment of
the design and operating effectiveness of the firm’s cyber risk
management approach into its overall audit plan.
Implications
Firms will have to review and revise organization structures;
roles and responsibilities; resourcing; and strategies, policies,
procedures and plans across the three lines of defense. Firms
would also have to review and potentially revise board-level
governance.
What are the key requirements?
The standards would be organized in five categories:
1. Cyber risk governance
2. Cyber risk management
3. Internal dependency management
4. External dependency management
5. Incident response, cyber resilience, situational awareness (i.e.,
threat intelligence)
1. Cyber risk governance
In the ANPR, the agencies seek to apply enhanced standards for
corporate governance and risk governance to firms’ cybersecurity
approaches. The ANPR calls for strong board oversight.
Proposals include requiring firms to:
• Develop and maintain a written, board-approved, enterprise-wide
cyber risk management strategy that is integrated into strategic
plans and risk management structures and that articulates how
firms:
• Address inherent cyber risk (i.e., cyber risk before mitigating
controls or other considerations)
• Maintain an acceptable level of residual risk (i.e., cyber risk after
mitigating controls or other considerations)
• Maintain resilience on an ongoing basis
• Establish a framework of policies and procedures to implement
strategy and cyber risk tolerances consistent with the firm’s risk
appetite and strategy
• Manage cyber risk appropriate to nature of firm’s operations,
manage residual cyber risk to level approved by board
2. Cyber risk management
As noted above, the ANPR sets out expansive requirements on the
first, second and third lines of defense. In addition to the issues noted
above, the proposals would require the:
• First line to maintain, or have access to, resources and staff
with the right skill-set to meets the business unit’s cybersecurity
responsibilities and to report to senior management (including the
CEO), in a timely manner, so management can react appropriately
to emerging cyber risks and incidents
• Second line to have executives responsible for cyber risk oversight
(e.g., chief information security officers) independent of business
line management, who should have sufficient independence,
stature, authority and resources and should report to the CEO and
board of directors, as appropriate, when its assessment of cyber
risks differs from that of the first-line business unit or when a unit
exceeds the firm’s established cyber risk tolerances
• Third line to have audit plans that evaluate the adequacy
of compliance with board-approved cyber risk management
framework and that cover the entire security life cycle, including
penetration testing and other vulnerability assessment activities
3. Internal dependency management
Firms would have to integrate an explicit internal dependency
management strategy (IDMS) into the firm’s overall strategic and
cyber risk management plans.
The IDMS would, among other items, require firms to have:
• Effective capabilities to identify and manage cyber risks associated
with their business assets throughout their lifespans and to
continually assess and improve, as necessary, their ability to reduce
the cyber risks associated with internal dependencies on enterprise-
wide basis
• A current and complete awareness of all internal assets and
business functions that support the firm’s cyber risk management
strategy, which should be mapped to other assets and business
functions, information flows, and interconnections
• An inventory of all business assets on an enterprise-wide basis,
prioritized by their criticality to the business functions they support,
the firm’s mission and the financial sector
• Track connections among assets and cyber risk levels
throughout assets’ life cycles using relevant data and analysis
across the firm
• Appropriate controls to address inherent cyber risk in the firm’s
assets, taking into account prioritization of firm’s assets and the
cyber risks they pose to the firm, by:
• Assessing the cyber risks of assets and their operating
environment prior to deployment
• Continually applying controls and monitoring assets and their
operating environments (including deviations from baseline
cybersecurity configurations) over the assets’ life cycles
6. 6 | Enhanced cyber risk management standards for financial institutions
• Assessing relevant cyber risks to the assets (e.g., insider threats
to systems and data) and mitigating identified deviations, granted
exemptions and known violations to internal dependent cyber
risk management policies, standards and procedures
4. External dependency management
With regard to external dependencies, firms would have to integrate
an explicit external dependency management strategy (EDMS)
strategy into firm’s strategic and cyber risk management plans.
The EDMS would, among other items, require firms to have:
• Effective capabilities in place to identify and manage cyber risks
associated with external dependencies and interconnection
risks throughout these relationships, and continually assess and
improve, as necessary, their effectiveness in reducing cyber risks
associated with external dependencies and interconnection risks
enterprise-wide
• The ability to monitor in real time all external dependencies and
trusted connections that support a firm’s cyber risk management
strategy
• A current, accurate and complete awareness of all external
dependencies and trusted connections enterprise-wide,
prioritized based on their criticality to the business functions they
support, including mappings to supported assets and business
function
• The ability to monitor the universe of external dependencies
that connect to assets supporting systems critical to the firm
and sector, and track connections among external dependencies,
organizational assets, and cyber risks throughout their lifespans
• Tracking capabilities that enable timely notification of cyber risk
management issues to designated stakeholders
5. Incident response, cyber resilience, situational awareness (i.e.,
threat intelligence)
The agencies want firms to plan for, respond to, contain and rapidly
recover from disruptions caused by cyber incidents, thereby
strengthening their cyber resilience and the sector. The agencies also
want firms that are capable of operating critical business functions in
face of attacks and of continuously enhancing cyber resilience.
As such, the proposals require, among other matters, that firms:
• Establish processes designed to maintain effective situational
awareness capabilities to reliably predict, analyze and respond
to changes in operating environment and to maintain effective
incident response and cyber resilience governance, strategies and
capacities that enable the organizations to anticipate, withstand,
contain and rapidly recover from a disruption:
• This includes ongoing situational awareness of operational
status and cybersecurity posture to preempt cyber events and
respond rapidly to them, establishing and maintaining profiles
for identified threats to the firm, gathering actionable cyber
intelligence and performing ongoing security analytics, and
capabilities for ongoing vulnerability management and threat
modeling.
• Establish and maintain enterprise-wide cyber resilience and
incident response programs, to include escalation protocols linked
to organizational decision levels, cyber contagion containment
procedures and communication strategies; processes to incorporate
lessons learned back into the program; and cyber resilience
strategies and exercises that consider wide-scale recovery
scenarios designed to achieve institutional resilience, support for
the sector-wide resilience, and minimize risks from interconnected
parties
• Establish and implement strategies to meet the firm’s obligations
for performing core business functions in the event of
disruption, including the potential for multiple concurrent or
widespread interruptions and cyber attacks on various elements
of interconnected critical infrastructure, e.g., energy and
telecommunications
• Establish protocols for secure, immutable, offline storage of
critical records, including financial records of the institution,
loan data, asset management account information and daily
deposit account records, including balances and ownership details,
formatted using certain defined data standards to allow for
restoration of these records by another financial institution, service
provider or the FDIC in the event of resolution of the firm
• Conduct testing that addresses a disruptive, destructive,
corruptive or another cyber event that could affect the ability to
service clients and incur significant downtime that would affect the
business resilience of clients; such testing would:
• Address external interdependencies (e.g., connectivity to
markets, payment systems, clearing entities, messaging services
and other critical partners)
• Be undertaken jointly where critical dependencies exist
• Validate the effectiveness of internal and external communication
protocols with stakeholders
How will the ANPR be implemented?
Within the questions posed, the agencies seek views on how the
proposal should be implemented, i.e., policy statement versus
detailed regulation. They offer three approaches, from the least to
most prescriptive:
1. Combination of a regulatory requirement to maintain a risk
management framework for cyber risks along with a policy
statement or guidance that describes minimum expectations for
the framework.
2. Specific cyber risk management standards (e.g., requirement
for entities to establish a cybersecurity framework), which would
cover the five categories noted above. For each category, the
firm would have to establish and maintain policies, procedures,
practices, controls, personnel and systems, as well as a corporate
governance structure that supports implementation of, and
compliance with, the program enterprise-wide, and necessary
changes to the program due to the firm’s evolving risk profile.
7. 7Enhanced cyber risk management standards for financial institutions |
3. A regulatory framework that is more detailed than approach #2,
detailing specific objectives and practices covered entities would
have to achieve for each of the five categories so that they can
demonstrate compliance with the requirements.
The agencies are seeking comments on the proposals by January 17,
2017. Contacts details for each agency can be found on the ANPR.
Firms are encouraged to read the detailed proposals with a view to
considering whether they should respond to the questions outlined in
the ANPR. Impacted firms that wish to have input to the consultative
process are advised to respond to this ANPR.
EY Contacts
John Doherty
+1 212 773 2734
john.doherty@ey.com
Jaime Kahan
+1 212 773 7755
jaime.kahan@ey.com
Chris Kipphut
+1 704 338 0491
chris.kipphut1@ey.com
Ertem Osmanoglu
+1 212 773 3520
ertem.osmanoglu@ey.com
Mark Watson
+1 617 305 2217
mark.watson@ey.com
Paul Sussex
+1 212 773 2802
paul.sussex@ey.com
Matt Moog
+1 212 773 2096
matthew.moog@ey.com
Tom Campanile
+1 212 773 8461
thomas.campanile@ey.com
Cindy Doe
+1 617 375 4558
cynthia.doe@ey.com
Dan Costa
+1 212 773 5877
dan.costa@ey.com
Samir Nangea
+1 212 773 6742
samir.nangea@ey.com
Scott Waterhouse
+1 212 773 9974
scott.waterhouse@ey.com