SlideShare a Scribd company logo

Implement enhanced cyber risk standards

B
Ben-Ari Boukai
1 of 8
Download to read offline
Recommended immediate actions • Impacted institutions should review the ANPR and evaluate, if implemented as proposed, the range of potential changes that would be needed to your: • Cyber risk management strategy • Board and senior management oversight and engagement processes • Three-lines-of-defense approach to cyber risk management • Business asset inventory, including criticality assessments and information flows • Vendor risk management strategy • Incident response and resilience capabilities • Brief your board of directors and executive management on the ANPR and its potential implications to your organization • Consider responding to the ANPR during the comment period that ends on January 17, 2017 October 2016 Financial Services Regulatory Alert On Wednesday, October 19, 2016, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board (FRB) (collectively, the agencies) jointly announced enhanced cyber risk management standards for financial institutions in the form of an Advance Notice of Proposed Rulemaking (ANPR). The ANPR outlines enhanced cybersecurity risk management and resilience standards that would apply to large and interconnected entities under the agencies’ supervision. Put simply, the proposals would constitute the most significant and demanding standards relevant to cybersecurity applied to major financial services firms operating in the United States, both banks and non- banking, including financial market utilities/ infrastructures (covered entities) and to the services provided to them by their vendors, suppliers and other third parties (covered services). This Regulatory Alert outlines: • What is an Advance Notice of Proposed Rulemaking? • What firms would be affected? • Why is the cyber ANPR so significant? • What are the key requirements? • How will the ANPR be implemented? What is an Advanced Notice of Proposed Rulemaking? Industry participants are familiar with the ANPR process, but many firms beyond financial services who could be affected may not be. An ANPR is a preliminary draft of proposed regulation. While not as detailed or prescriptive as a final rule, it is intended to set out the main components of potential regulation and key open questions regarding the content and scope of the proposal as a basis for consultation with the industry and third parties supporting it. The cyber ANPR outlines 39 distinct questions on which the agencies are seeking comments by January 17, 2017. Comments can be sent to all or any of the three agencies. Enhanced cyber risk management standards for financial institutions
2 | Enhanced cyber risk management standards for financial institutions The agencies will then consider responses they receive and make changes, as they see fit. They will then seek to issue actual proposed regulation or guidance. See “How will the ANPR be implemented?” for the three implementation options being considered by the agencies. What firms would be affected? The ANPR has considerable scope across financial services and beyond. The core focus is financial institutions that are considered systemically important to the financial services industry and the economy at large. The proposed rule would be applicable to the types of institution listed below on an enterprise-wide basis and would complement, not replace, existing guidance such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Overall, the ANPR proposals would apply directly to: • US bank holding companies with total consolidated assets of $50b or greater • US savings and loan holding companies with total consolidated assets of $50b or greater: • All subsidiaries of the above holding companies are also covered (non-depository subsidiaries will be regulated by the FRB; depository subsidiaries by the OCC or FDIC as appropriate). • US national, state and state non-member depository institutions with total assets of $50b or greater that are not subsidiaries of holding companies • US operations of foreign banking organizations (FBOs) with total US assets of $50b or greater • Any non-bank financial companies supervised by the FRB, such as designated non-bank systemically important financial institutions (SIFIs) • Designated financial market utilities (FMUs) and FRB-supervised financial market infrastructures (FMIs) However, the proposed standards could have broad impact well beyond financial services. The proposals would apply to third- party service providers with respect to services provided to the covered entities, especially services that support sector-critical systems. Third parties include outside vendors, suppliers, customers, utilities (e.g., power and telecommunications), and other external organizations and service providers, upon which the firms depend to deliver services. Many of these firms would face considerably higher standards if they desire to continue serving financial institutions that are directly affected, if the proposals are adopted. The cyber ANPR set outs a two-tiered set of enhanced standards: • Standards that apply to all covered entities and covered services provided by third parties • Higher expectations for those systems deemed critical to be the sector (sector-critical systems) and services that support those systems Key definitions • Internal dependency: business assets (i.e., workforce, data, technology and facilities) upon which the firm depends to deliver services, as well as the information flows and interconnectedness among those assets. Sources of such risks include insider threats, data transmission errors and the use of legacy systems acquired through a merger. • External dependency: Relationships with outside vendors, suppliers, customers, utilities (e.g., power and utilities), and other external organizations and service providers, upon which it depends to deliver services, as well as the information flows and interconnectedness between the entity and the external parties. It is crucial to manage interconnection risks associated with non-critical external parties that maintain trusted connections to important systems. Embedding cyber risk across the organization The ANPR explicitly calls on firms to integrate their formalized cyber risk management strategy, and associated internal and external dependency management strategies, into their overall strategic plans and strategic risk management processes. Implicitly, this would require firms to embed cyber risk assessments into: • Due diligence and analysis regarding corporate development and mergers, acquisitions and dispositions • The approval process for new products • FinTech initiatives and acquisitions • New digital platforms • Their alliance-partner relationships Inevitably, this would require firms to incorporate cyber risks into their stress testing and capital planning processes, their material risk identification processes, and their stress-test scenario design. Cyber risks would also need to be covered in recovery and resolution plans.
3Enhanced cyber risk management standards for financial institutions | Why is the cyber ANPR so significant? Financial services regulators have long issued interagency guidance on information security, cybersecurity, and information technology, particularly through the Federal Financial Institutions Examination Council (FFIEC). To date, much of this has been guiding principles, and not binding. It has been used by financial service supervisors and financial institutions to guide their efforts to strengthen the industry’s cybersecurity efforts. The new cyber ANPR is much more demanding. It stands apart for four key reasons: 1. It is aimed at protecting the financial system, not just institutions. 2. In effect, it would be more prescriptive than prior guidance. 3. It sets out even more enhanced expectations for sector-critical systems. 4. It calls for an enterprise-wide, three-lines-of-defense approach to addressing cyber risks. It is aimed at protecting the financial system, not just institutions In light of fast-evolving threats, vulnerabilities and technologies, and an ever-expanding and more sophisticated set of cyber attackers, financial services regulators have greatly stepped up efforts to strengthen financial institutions’ cybersecurity. Cross-industry forums supported by the U.S. Department of the Treasury, such as the Financial and Banking Information Infrastructure Committee (FIBIC), have sought to enable collaboration across the public and private sector. A major focus has been on critical infrastructures, of which financial services is key. The efforts have, for the most part, focused on helping individual firms strengthen their cybersecurity, through guidance and information sharing. The cyber ANPR takes this to another level. It purposefully takes a view of cybersecurity across the financial system, elevating the significance of understanding and actively managing the interconnectedness within and across the financial service industry. The proposals are not only aimed at the most systemic institutions in the industry; they are focused on key players (network nodes) that serve the industry. The objective is clear: strengthen the sector, as well as the institutions. The weakest link could affect the system, through contagion. Implications Firms would be required to have a much deeper and more comprehensive understanding of the role they play within their ecosystems, their unique cyber risk profile across the ecosystem, and critical dependencies on internal and external parties as a result of the interconnectedness. In effect, it would be more prescriptive than prior guidance While the proposals are principle based in fashion, they constitute what would be, if implemented rigorously, relatively prescriptive standards for impacted institutions. For example, the proposals would require: • The board of directors to have deep knowledge in cybersecurity or have direct access to relevant expertise from within or outside the firm • Second-line risk functions to include cyber risk professionals with direct and independent reporting lines to the board • A detailed board-approved cyber risk management strategy, which includes strategies to cover internal and external dependencies, to be directly linked to the firm’s broader strategic risk and risk management strategies • A board-approved cyber risk appetite and tolerances, which cover external and internal risks, that explicitly aim, over time, to reduce aggregate institutional and sector-wide cyber risk • An inventory of all business assets and their criticality, including mappings to other assets and business functions, reliance on external parties, information flows and interconnections • Prioritizing resiliency, monitoring, resources and investment to those systems deemed as sector critical • The ability to monitor in real time all external dependencies and trusted connections that support a firm’s cyber risk management strategy Any one of those requirements would be very demanding for most institutions. But together, their impact would be considerable. Implications Firms would have to fundamentally review and possibly materially update their entire cyber risk management strategy and governance. It sets out even more enhanced expectations for sector-critical systems The ANPR has a major focus on what it calls “sector-critical systems.” In defining these systems, the agencies draw on the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (issued in April 2003), by the FRB, the OCC, and the U.S. Securities and Exchange Commission.
4 | Enhanced cyber risk management standards for financial institutions While the paper’s definition was limited to the resumption of clearance and settlement activities in wholesale financial markets, the agencies are considering whether systems should be sector critical if they support the clearing or settlement of at least 5% of the value of transactions (on a consistent basis): • In one or more of the markets for federal funds, foreign exchange, commercial paper, US government and agency securities, and corporate debt and equity securities • In other markets (for example, exchange-traded and over-the- counter derivatives) that support the maintenance of a significant share (for example, 5%) of the total US deposits or balances due from other depository institutions in the United States The agencies are considering additional factors to identify sector- critical systems, such as substitutability and interconnectedness. Systems that provide key functionality to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (for example, due to incompatibility), could have a material impact on financial stability if they were significantly disrupted. Systems that act as network nodes to the financial sector due to their extensive interconnectedness to other financial entities could also have a material impact on financial stability if significantly disrupted. The agencies propose requiring firms that have sector-critical systems to establish and implement mechanisms to prioritize monitoring, incident response and recovery of those systems. They also propose a requirement that firms implement the most effective, commercially available controls to minimize the residual cyber risk of sector-critical systems. In addition, firms with such systems would have to: • Establish a recovery time objective (RTO) of two hours for sector-critical systems — validated by testing — to recover from a disruptive, corruptive or destructive event • Establish protocols for secure, immutable, offline storage of critical records, formatted using certain defined data standards to allow for restoration of these records by another financial institution and service provider, to cover the scenario that firms cannot recover their sector-critical systems within two hours • Implement testing that would include a range of scenarios, including severe but plausible scenarios, and that should address matters such as communications protocols, governance arrangements, and resumption and recovery practices • At the bank holding company level, measure their ability to reduce the aggregate residual cyber risk of their sector-critical systems and their ability to reduce such risk to a minimal level Implications Firms would have to determine if any of their systems could be deemed sector-critical and, if so, evaluate the impact of having to meet considerably more demanding recovery time requirements for those systems, and the impact of having to prioritize those systems over other systems. Firms’ existing approaches to testing their systems may also require strengthening. It calls for an enterprise-wide, three-lines-of-defense approach to addressing cyber risks Since the financial crisis, financial services regulators have increasingly sought to compel regulated institutions to have a fully functioning three-lines-of-defense approach to risk management. This model depends on first-line, or business-unit, accountability for managing all risk, financial and nonfinancial; second-line oversight of aggregate enterprise-wide risks and independent challenge of the first line; and third-line — internal audit— assurance of the overall risk governance approach. Above the three lines, regulators have demanded that an active, engaged, knowledgeable board of directors oversees the firm –—especially senior management — and provides credible effective challenge. The cyber ANPR explicitly outlines requirements that apply that model to cyber risks: • The board of directors would have to approve a written cyber risk management strategy and approve a specific risk appetite and tolerances for cyber risks. The board should hold senior management accountable for implementing the strategy and managing the firm within the approved risk appetite. The board will need the right skills and resources to execute this enhanced oversight role. • The first line — business units — would be expected, among other responsibilities, to assess, on an ongoing basis, cyber risks associated with business unit activities and potential vulnerabilities associated with every business asset, service and IT connection points. Business units should also identify, measure, monitor and control cyber risks consistent with the firm’s approved risk appetite and tolerances. • The second line — risk management and compliance — would be expected, among other responsibilities, to report on implementation of firm’s cyber risk management framework. It should also analyze cyber risk at the enterprise level to identify and monitor effective response to events with the potential to impact one or multiple operating units. The second line should identify and assess the firm’s material aggregate risks and determine whether actions need to be taken to strengthen risk management or reduce risk given changes in the firm’s risk profile or other conditions, with a particular emphasis on sector-critical systems. In addition, the second line should validate compliance with the firm’s cyber risk management framework and that the framework is compliant with applicable laws and regulations.
5Enhanced cyber risk management standards for financial institutions | • The third line — internal audit — would be expected to, among other responsibilities, assess whether the cyber risk management framework complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness and risk profile. Internal audit would also incorporate an assessment of the design and operating effectiveness of the firm’s cyber risk management approach into its overall audit plan. Implications Firms will have to review and revise organization structures; roles and responsibilities; resourcing; and strategies, policies, procedures and plans across the three lines of defense. Firms would also have to review and potentially revise board-level governance. What are the key requirements? The standards would be organized in five categories: 1. Cyber risk governance 2. Cyber risk management 3. Internal dependency management 4. External dependency management 5. Incident response, cyber resilience, situational awareness (i.e., threat intelligence) 1. Cyber risk governance In the ANPR, the agencies seek to apply enhanced standards for corporate governance and risk governance to firms’ cybersecurity approaches. The ANPR calls for strong board oversight. Proposals include requiring firms to: • Develop and maintain a written, board-approved, enterprise-wide cyber risk management strategy that is integrated into strategic plans and risk management structures and that articulates how firms: • Address inherent cyber risk (i.e., cyber risk before mitigating controls or other considerations) • Maintain an acceptable level of residual risk (i.e., cyber risk after mitigating controls or other considerations) • Maintain resilience on an ongoing basis • Establish a framework of policies and procedures to implement strategy and cyber risk tolerances consistent with the firm’s risk appetite and strategy • Manage cyber risk appropriate to nature of firm’s operations, manage residual cyber risk to level approved by board 2. Cyber risk management As noted above, the ANPR sets out expansive requirements on the first, second and third lines of defense. In addition to the issues noted above, the proposals would require the: • First line to maintain, or have access to, resources and staff with the right skill-set to meets the business unit’s cybersecurity responsibilities and to report to senior management (including the CEO), in a timely manner, so management can react appropriately to emerging cyber risks and incidents • Second line to have executives responsible for cyber risk oversight (e.g., chief information security officers) independent of business line management, who should have sufficient independence, stature, authority and resources and should report to the CEO and board of directors, as appropriate, when its assessment of cyber risks differs from that of the first-line business unit or when a unit exceeds the firm’s established cyber risk tolerances • Third line to have audit plans that evaluate the adequacy of compliance with board-approved cyber risk management framework and that cover the entire security life cycle, including penetration testing and other vulnerability assessment activities 3. Internal dependency management Firms would have to integrate an explicit internal dependency management strategy (IDMS) into the firm’s overall strategic and cyber risk management plans. The IDMS would, among other items, require firms to have: • Effective capabilities to identify and manage cyber risks associated with their business assets throughout their lifespans and to continually assess and improve, as necessary, their ability to reduce the cyber risks associated with internal dependencies on enterprise- wide basis • A current and complete awareness of all internal assets and business functions that support the firm’s cyber risk management strategy, which should be mapped to other assets and business functions, information flows, and interconnections • An inventory of all business assets on an enterprise-wide basis, prioritized by their criticality to the business functions they support, the firm’s mission and the financial sector • Track connections among assets and cyber risk levels throughout assets’ life cycles using relevant data and analysis across the firm • Appropriate controls to address inherent cyber risk in the firm’s assets, taking into account prioritization of firm’s assets and the cyber risks they pose to the firm, by: • Assessing the cyber risks of assets and their operating environment prior to deployment • Continually applying controls and monitoring assets and their operating environments (including deviations from baseline cybersecurity configurations) over the assets’ life cycles
6 | Enhanced cyber risk management standards for financial institutions • Assessing relevant cyber risks to the assets (e.g., insider threats to systems and data) and mitigating identified deviations, granted exemptions and known violations to internal dependent cyber risk management policies, standards and procedures 4. External dependency management With regard to external dependencies, firms would have to integrate an explicit external dependency management strategy (EDMS) strategy into firm’s strategic and cyber risk management plans. The EDMS would, among other items, require firms to have: • Effective capabilities in place to identify and manage cyber risks associated with external dependencies and interconnection risks throughout these relationships, and continually assess and improve, as necessary, their effectiveness in reducing cyber risks associated with external dependencies and interconnection risks enterprise-wide • The ability to monitor in real time all external dependencies and trusted connections that support a firm’s cyber risk management strategy • A current, accurate and complete awareness of all external dependencies and trusted connections enterprise-wide, prioritized based on their criticality to the business functions they support, including mappings to supported assets and business function • The ability to monitor the universe of external dependencies that connect to assets supporting systems critical to the firm and sector, and track connections among external dependencies, organizational assets, and cyber risks throughout their lifespans • Tracking capabilities that enable timely notification of cyber risk management issues to designated stakeholders 5. Incident response, cyber resilience, situational awareness (i.e., threat intelligence) The agencies want firms to plan for, respond to, contain and rapidly recover from disruptions caused by cyber incidents, thereby strengthening their cyber resilience and the sector. The agencies also want firms that are capable of operating critical business functions in face of attacks and of continuously enhancing cyber resilience. As such, the proposals require, among other matters, that firms: • Establish processes designed to maintain effective situational awareness capabilities to reliably predict, analyze and respond to changes in operating environment and to maintain effective incident response and cyber resilience governance, strategies and capacities that enable the organizations to anticipate, withstand, contain and rapidly recover from a disruption: • This includes ongoing situational awareness of operational status and cybersecurity posture to preempt cyber events and respond rapidly to them, establishing and maintaining profiles for identified threats to the firm, gathering actionable cyber intelligence and performing ongoing security analytics, and capabilities for ongoing vulnerability management and threat modeling. • Establish and maintain enterprise-wide cyber resilience and incident response programs, to include escalation protocols linked to organizational decision levels, cyber contagion containment procedures and communication strategies; processes to incorporate lessons learned back into the program; and cyber resilience strategies and exercises that consider wide-scale recovery scenarios designed to achieve institutional resilience, support for the sector-wide resilience, and minimize risks from interconnected parties • Establish and implement strategies to meet the firm’s obligations for performing core business functions in the event of disruption, including the potential for multiple concurrent or widespread interruptions and cyber attacks on various elements of interconnected critical infrastructure, e.g., energy and telecommunications • Establish protocols for secure, immutable, offline storage of critical records, including financial records of the institution, loan data, asset management account information and daily deposit account records, including balances and ownership details, formatted using certain defined data standards to allow for restoration of these records by another financial institution, service provider or the FDIC in the event of resolution of the firm • Conduct testing that addresses a disruptive, destructive, corruptive or another cyber event that could affect the ability to service clients and incur significant downtime that would affect the business resilience of clients; such testing would: • Address external interdependencies (e.g., connectivity to markets, payment systems, clearing entities, messaging services and other critical partners) • Be undertaken jointly where critical dependencies exist • Validate the effectiveness of internal and external communication protocols with stakeholders How will the ANPR be implemented? Within the questions posed, the agencies seek views on how the proposal should be implemented, i.e., policy statement versus detailed regulation. They offer three approaches, from the least to most prescriptive: 1. Combination of a regulatory requirement to maintain a risk management framework for cyber risks along with a policy statement or guidance that describes minimum expectations for the framework. 2. Specific cyber risk management standards (e.g., requirement for entities to establish a cybersecurity framework), which would cover the five categories noted above. For each category, the firm would have to establish and maintain policies, procedures, practices, controls, personnel and systems, as well as a corporate governance structure that supports implementation of, and compliance with, the program enterprise-wide, and necessary changes to the program due to the firm’s evolving risk profile.
7Enhanced cyber risk management standards for financial institutions | 3. A regulatory framework that is more detailed than approach #2, detailing specific objectives and practices covered entities would have to achieve for each of the five categories so that they can demonstrate compliance with the requirements. The agencies are seeking comments on the proposals by January 17, 2017. Contacts details for each agency can be found on the ANPR. Firms are encouraged to read the detailed proposals with a view to considering whether they should respond to the questions outlined in the ANPR. Impacted firms that wish to have input to the consultative process are advised to respond to this ANPR. EY Contacts John Doherty +1 212 773 2734 john.doherty@ey.com Jaime Kahan +1 212 773 7755 jaime.kahan@ey.com Chris Kipphut +1 704 338 0491 chris.kipphut1@ey.com Ertem Osmanoglu +1 212 773 3520 ertem.osmanoglu@ey.com Mark Watson +1 617 305 2217 mark.watson@ey.com Paul Sussex +1 212 773 2802 paul.sussex@ey.com Matt Moog +1 212 773 2096 matthew.moog@ey.com Tom Campanile +1 212 773 8461 thomas.campanile@ey.com Cindy Doe +1 617 375 4558 cynthia.doe@ey.com Dan Costa +1 212 773 5877 dan.costa@ey.com Samir Nangea +1 212 773 6742 samir.nangea@ey.com Scott Waterhouse +1 212 773 9974 scott.waterhouse@ey.com
EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2016 EYGM Limited. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com/anpr-cyber SCORE no. 03562-161US 1610-2067543 BDFSO ED None

Recommended

What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
 
Insurance Oversight, Jerry Sogoli
Insurance Oversight, Jerry SogoliInsurance Oversight, Jerry Sogoli
Insurance Oversight, Jerry SogoliThe i-Capital Africa Institute
 
NIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies
 
Life Sciences 2016 (3)
Life Sciences 2016 (3)Life Sciences 2016 (3)
Life Sciences 2016 (3)hldorfman
 
Patni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPatni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPhilip Filleul
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enBankir_Ru
 
PP_GTFPO_Construction_EN_Web
PP_GTFPO_Construction_EN_WebPP_GTFPO_Construction_EN_Web
PP_GTFPO_Construction_EN_Webjpchabot
 
IG AMF FSI Talk 02112016
IG AMF FSI Talk 02112016IG AMF FSI Talk 02112016
IG AMF FSI Talk 02112016Ian Gilmour
 

Recommended

What Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorWhat Financial Institution Cyber Regs Tell the Infrastructure Sector
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
 
Insurance Oversight, Jerry Sogoli
Insurance Oversight, Jerry SogoliInsurance Oversight, Jerry Sogoli
Insurance Oversight, Jerry SogoliThe i-Capital Africa Institute
 
NIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies regulatory reporting
NIIT Technologies regulatory reportingNIIT Technologies
 
Life Sciences 2016 (3)
Life Sciences 2016 (3)Life Sciences 2016 (3)
Life Sciences 2016 (3)hldorfman
 
Patni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPatni wp data management implications of forthcoming systemic risk regulations
Patni wp data management implications of forthcoming systemic risk regulationsPhilip Filleul
 
Whitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enWhitepaper 2015 industry_drilldown_finance_en
Whitepaper 2015 industry_drilldown_finance_enBankir_Ru
 
PP_GTFPO_Construction_EN_Web
PP_GTFPO_Construction_EN_WebPP_GTFPO_Construction_EN_Web
PP_GTFPO_Construction_EN_Webjpchabot
 
IG AMF FSI Talk 02112016
IG AMF FSI Talk 02112016IG AMF FSI Talk 02112016
IG AMF FSI Talk 02112016Ian Gilmour
 
Trust in regulation
Trust in regulationTrust in regulation
Trust in regulationWikiprogress_slides
 
An Introduction To Compliance Program
An Introduction To Compliance ProgramAn Introduction To Compliance Program
An Introduction To Compliance Programlinhcuong
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
Basel 3 News November 2012
Basel 3 News November 2012Basel 3 News November 2012
Basel 3 News November 2012Compliance LLC
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank"John "Jeb"" Beckwith
 
FATF and Canada
FATF and CanadaFATF and Canada
FATF and CanadaObrad Grković
 
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...EY
 
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Winston & Strawn LLP
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 
The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co... The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co...inventionjournals
 
Healthcare Transactions and Compliance
Healthcare Transactions and ComplianceHealthcare Transactions and Compliance
Healthcare Transactions and ComplianceCurtis Bernstein
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
Regulatory Impact Analysis - Law & Economics course
Regulatory Impact Analysis - Law & Economics courseRegulatory Impact Analysis - Law & Economics course
Regulatory Impact Analysis - Law & Economics courseWilliam Byrnes
 
Compliance risk management in practice / Belastingdienst
Compliance risk management in practice / BelastingdienstCompliance risk management in practice / Belastingdienst
Compliance risk management in practice / BelastingdienstEUROsociAL II
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 
Nov15 gpr gcf part i_re_print
Nov15 gpr gcf part i_re_printNov15 gpr gcf part i_re_print
Nov15 gpr gcf part i_re_printMax van der Klis-Busink
 
707 12 0939 4
707 12 0939 4707 12 0939 4
707 12 0939 4oabvga
 
707 12 0432 0
707 12 0432 0707 12 0432 0
707 12 0432 0oabvga
 
Resultado de los niños
Resultado de los niñosResultado de los niños
Resultado de los niñosAlejandra Garcia Garcia
 
707 12 0315 7
707 12 0315 7707 12 0315 7
707 12 0315 7oabvga
 
707 12 0972 5
707 12 0972 5707 12 0972 5
707 12 0972 5oabvga
 
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)Melanie McQueen
 

More Related Content

What's hot

An Introduction To Compliance Program
An Introduction To Compliance ProgramAn Introduction To Compliance Program
An Introduction To Compliance Programlinhcuong
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...ARMA International
 
Basel 3 News November 2012
Basel 3 News November 2012Basel 3 News November 2012
Basel 3 News November 2012Compliance LLC
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank"John "Jeb"" Beckwith
 
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...EY
 
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Winston & Strawn LLP
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...Taiye Lambo
 
The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co... The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co...inventionjournals
 
Healthcare Transactions and Compliance
Healthcare Transactions and ComplianceHealthcare Transactions and Compliance
Healthcare Transactions and ComplianceCurtis Bernstein
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...Colin Zick
 
Regulatory Impact Analysis - Law & Economics course
Regulatory Impact Analysis - Law & Economics courseRegulatory Impact Analysis - Law & Economics course
Regulatory Impact Analysis - Law & Economics courseWilliam Byrnes
 
Compliance risk management in practice / Belastingdienst
Compliance risk management in practice / BelastingdienstCompliance risk management in practice / Belastingdienst
Compliance risk management in practice / BelastingdienstEUROsociAL II
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeErnst & Young
 

What's hot (16)

Trust in regulation
Trust in regulationTrust in regulation
Trust in regulation
 
An Introduction To Compliance Program
An Introduction To Compliance ProgramAn Introduction To Compliance Program
An Introduction To Compliance Program
 
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
Rick Borden, Chief Privacy Officer, White & Williams LLP - #InfoGov17 - Cyber...
 
Basel 3 News November 2012
Basel 3 News November 2012Basel 3 News November 2012
Basel 3 News November 2012
 
GDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the BankGDPR Solutions That Won't Break the Bank
GDPR Solutions That Won't Break the Bank
 
FATF and Canada
FATF and CanadaFATF and Canada
FATF and Canada
 
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
 
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
 
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
{d1a164b5-f3a5-4840-96b1-16dd83ccdda9}_Wells_Fargo_GIB_Cyber_security_100615_...
 
The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co... The effect of risk based audit approach on the implementation of internal co...
The effect of risk based audit approach on the implementation of internal co...
 
Healthcare Transactions and Compliance
Healthcare Transactions and ComplianceHealthcare Transactions and Compliance
Healthcare Transactions and Compliance
 
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
MichBIO_-_HIPAA__Industry-Provider_Interactions__and_Related_Compliance_Matte...
 
Regulatory Impact Analysis - Law & Economics course
Regulatory Impact Analysis - Law & Economics courseRegulatory Impact Analysis - Law & Economics course
Regulatory Impact Analysis - Law & Economics course
 
Compliance risk management in practice / Belastingdienst
Compliance risk management in practice / BelastingdienstCompliance risk management in practice / Belastingdienst
Compliance risk management in practice / Belastingdienst
 
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of CybercrimeCyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Threat Intelligence − How to Get Ahead of Cybercrime
 
Nov15 gpr gcf part i_re_print
Nov15 gpr gcf part i_re_printNov15 gpr gcf part i_re_print
Nov15 gpr gcf part i_re_print
 

Viewers also liked

707 12 0939 4
707 12 0939 4707 12 0939 4
707 12 0939 4oabvga
 
707 12 0432 0
707 12 0432 0707 12 0432 0
707 12 0432 0oabvga
 
707 12 0315 7
707 12 0315 7707 12 0315 7
707 12 0315 7oabvga
 
707 12 0972 5
707 12 0972 5707 12 0972 5
707 12 0972 5oabvga
 
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)Melanie McQueen
 
707 12 0898 2
707 12 0898 2707 12 0898 2
707 12 0898 2oabvga
 
Manipulamiento de los dispositivos de almacenamiento
Manipulamiento de los dispositivos de almacenamientoManipulamiento de los dispositivos de almacenamiento
Manipulamiento de los dispositivos de almacenamientoEmmanuel Rodriguez Reyes
 
707 12 0810 7
707 12 0810 7707 12 0810 7
707 12 0810 7oabvga
 
707 12 0670 5
707 12 0670 5707 12 0670 5
707 12 0670 5oabvga
 
Resultado final de las enecuestas y entrevista
Resultado final de las enecuestas y entrevistaResultado final de las enecuestas y entrevista
Resultado final de las enecuestas y entrevistaAlejandra Garcia Garcia
 
Increase Conversion Rates with Reach Dynamics
Increase Conversion Rates with Reach DynamicsIncrease Conversion Rates with Reach Dynamics
Increase Conversion Rates with Reach DynamicsExperience Advertising
 

Viewers also liked (12)

707 12 0939 4
707 12 0939 4707 12 0939 4
707 12 0939 4
 
707 12 0432 0
707 12 0432 0707 12 0432 0
707 12 0432 0
 
Resultado de los niños
Resultado de los niñosResultado de los niños
Resultado de los niños
 
707 12 0315 7
707 12 0315 7707 12 0315 7
707 12 0315 7
 
707 12 0972 5
707 12 0972 5707 12 0972 5
707 12 0972 5
 
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
Therapeutic Treatment of Acquired Hearing Loss Presentation (2016)
 
707 12 0898 2
707 12 0898 2707 12 0898 2
707 12 0898 2
 
Manipulamiento de los dispositivos de almacenamiento
Manipulamiento de los dispositivos de almacenamientoManipulamiento de los dispositivos de almacenamiento
Manipulamiento de los dispositivos de almacenamiento
 
707 12 0810 7
707 12 0810 7707 12 0810 7
707 12 0810 7
 
707 12 0670 5
707 12 0670 5707 12 0670 5
707 12 0670 5
 
Resultado final de las enecuestas y entrevista
Resultado final de las enecuestas y entrevistaResultado final de las enecuestas y entrevista
Resultado final de las enecuestas y entrevista
 
Increase Conversion Rates with Reach Dynamics
Increase Conversion Rates with Reach DynamicsIncrease Conversion Rates with Reach Dynamics
Increase Conversion Rates with Reach Dynamics
 

Similar to Implement enhanced cyber risk standards

Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016jennyhollingworth
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsBrunswick Group
 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ, Inc.
 
Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?Daniel Message
 
Technology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory ReportingTechnology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory ReportingNIIT Technologies
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Mohammed J. Khan
 
Identify regulatory issues relevant to potential employers in the fi.pdf
Identify regulatory issues relevant to potential employers in the fi.pdfIdentify regulatory issues relevant to potential employers in the fi.pdf
Identify regulatory issues relevant to potential employers in the fi.pdffazalenterprises
 
G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016Kathleen Hamm
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfLBagger1
 
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021Dawn Yankeelov
 
#FinTech Regulation Overview co-presented
#FinTech Regulation Overview co-presented #FinTech Regulation Overview co-presented
#FinTech Regulation Overview co-presented CFTE
 
BCBS239 - A Roadmap for Data Governance - 04202016.pdf
BCBS239 - A Roadmap for Data Governance - 04202016.pdfBCBS239 - A Roadmap for Data Governance - 04202016.pdf
BCBS239 - A Roadmap for Data Governance - 04202016.pdfssusere0e4e8
 
IMF Fintech report - cross board payment
IMF Fintech report - cross board paymentIMF Fintech report - cross board payment
IMF Fintech report - cross board paymentClement Hsieh
 
DATA Working Group - Global AML Guidelines
DATA Working Group - Global AML GuidelinesDATA Working Group - Global AML Guidelines
DATA Working Group - Global AML GuidelinesDataSecretariat
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
White Paper: A summary of the FSA thematic review
White Paper: A summary of the FSA thematic reviewWhite Paper: A summary of the FSA thematic review
White Paper: A summary of the FSA thematic reviewLexisNexis Benelux
 
James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...
James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...
James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...JAMES OKARIMIA
 

Similar to Implement enhanced cyber risk standards (20)

Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016Top Internal Audit Priorities for Financial Services Organizations, 2016
Top Internal Audit Priorities for Financial Services Organizations, 2016
 
New York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulationsNew York DFS proposed cybersecurity regulations
New York DFS proposed cybersecurity regulations
 
CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018CBIZ Banking & Financial Services Hot Topics - January 2018
CBIZ Banking & Financial Services Hot Topics - January 2018
 
Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too Your Third-Party Vendor's Risk Is Your Risk, Too
Your Third-Party Vendor's Risk Is Your Risk, Too
 
AICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for CybersecurityAICPA Introduces the SOC Report for Cybersecurity
AICPA Introduces the SOC Report for Cybersecurity
 
Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?Cyber security reguations: The shape of things to come for captives?
Cyber security reguations: The shape of things to come for captives?
 
Technology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory ReportingTechnology Facilitating the Regulatory Reporting
Technology Facilitating the Regulatory Reporting
 
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
Managing-Data-Protection-and-Cybersecurity-Audit-s-Role_joa_Eng_0116
 
Identify regulatory issues relevant to potential employers in the fi.pdf
Identify regulatory issues relevant to potential employers in the fi.pdfIdentify regulatory issues relevant to potential employers in the fi.pdf
Identify regulatory issues relevant to potential employers in the fi.pdf
 
G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016G7 fundamental elements_oct_2016
G7 fundamental elements_oct_2016
 
CIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdfCIS20 CSCs+mapping to NIST+ISO.pdf
CIS20 CSCs+mapping to NIST+ISO.pdf
 
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021
 
#FinTech Regulation Overview co-presented
#FinTech Regulation Overview co-presented #FinTech Regulation Overview co-presented
#FinTech Regulation Overview co-presented
 
BCBS239 - A Roadmap for Data Governance - 04202016.pdf
BCBS239 - A Roadmap for Data Governance - 04202016.pdfBCBS239 - A Roadmap for Data Governance - 04202016.pdf
BCBS239 - A Roadmap for Data Governance - 04202016.pdf
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
IMF Fintech report - cross board payment
IMF Fintech report - cross board paymentIMF Fintech report - cross board payment
IMF Fintech report - cross board payment
 
DATA Working Group - Global AML Guidelines
DATA Working Group - Global AML GuidelinesDATA Working Group - Global AML Guidelines
DATA Working Group - Global AML Guidelines
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisition
 
White Paper: A summary of the FSA thematic review
White Paper: A summary of the FSA thematic reviewWhite Paper: A summary of the FSA thematic review
White Paper: A summary of the FSA thematic review
 
James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...
James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...
James Okarimia - Aligning Finance, Risk and Data Analytics in Meeting the Req...
 

Implement enhanced cyber risk standards

  • 1. Recommended immediate actions • Impacted institutions should review the ANPR and evaluate, if implemented as proposed, the range of potential changes that would be needed to your: • Cyber risk management strategy • Board and senior management oversight and engagement processes • Three-lines-of-defense approach to cyber risk management • Business asset inventory, including criticality assessments and information flows • Vendor risk management strategy • Incident response and resilience capabilities • Brief your board of directors and executive management on the ANPR and its potential implications to your organization • Consider responding to the ANPR during the comment period that ends on January 17, 2017 October 2016 Financial Services Regulatory Alert On Wednesday, October 19, 2016, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board (FRB) (collectively, the agencies) jointly announced enhanced cyber risk management standards for financial institutions in the form of an Advance Notice of Proposed Rulemaking (ANPR). The ANPR outlines enhanced cybersecurity risk management and resilience standards that would apply to large and interconnected entities under the agencies’ supervision. Put simply, the proposals would constitute the most significant and demanding standards relevant to cybersecurity applied to major financial services firms operating in the United States, both banks and non- banking, including financial market utilities/ infrastructures (covered entities) and to the services provided to them by their vendors, suppliers and other third parties (covered services). This Regulatory Alert outlines: • What is an Advance Notice of Proposed Rulemaking? • What firms would be affected? • Why is the cyber ANPR so significant? • What are the key requirements? • How will the ANPR be implemented? What is an Advanced Notice of Proposed Rulemaking? Industry participants are familiar with the ANPR process, but many firms beyond financial services who could be affected may not be. An ANPR is a preliminary draft of proposed regulation. While not as detailed or prescriptive as a final rule, it is intended to set out the main components of potential regulation and key open questions regarding the content and scope of the proposal as a basis for consultation with the industry and third parties supporting it. The cyber ANPR outlines 39 distinct questions on which the agencies are seeking comments by January 17, 2017. Comments can be sent to all or any of the three agencies. Enhanced cyber risk management standards for financial institutions
  • 2. 2 | Enhanced cyber risk management standards for financial institutions The agencies will then consider responses they receive and make changes, as they see fit. They will then seek to issue actual proposed regulation or guidance. See “How will the ANPR be implemented?” for the three implementation options being considered by the agencies. What firms would be affected? The ANPR has considerable scope across financial services and beyond. The core focus is financial institutions that are considered systemically important to the financial services industry and the economy at large. The proposed rule would be applicable to the types of institution listed below on an enterprise-wide basis and would complement, not replace, existing guidance such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Overall, the ANPR proposals would apply directly to: • US bank holding companies with total consolidated assets of $50b or greater • US savings and loan holding companies with total consolidated assets of $50b or greater: • All subsidiaries of the above holding companies are also covered (non-depository subsidiaries will be regulated by the FRB; depository subsidiaries by the OCC or FDIC as appropriate). • US national, state and state non-member depository institutions with total assets of $50b or greater that are not subsidiaries of holding companies • US operations of foreign banking organizations (FBOs) with total US assets of $50b or greater • Any non-bank financial companies supervised by the FRB, such as designated non-bank systemically important financial institutions (SIFIs) • Designated financial market utilities (FMUs) and FRB-supervised financial market infrastructures (FMIs) However, the proposed standards could have broad impact well beyond financial services. The proposals would apply to third- party service providers with respect to services provided to the covered entities, especially services that support sector-critical systems. Third parties include outside vendors, suppliers, customers, utilities (e.g., power and telecommunications), and other external organizations and service providers, upon which the firms depend to deliver services. Many of these firms would face considerably higher standards if they desire to continue serving financial institutions that are directly affected, if the proposals are adopted. The cyber ANPR set outs a two-tiered set of enhanced standards: • Standards that apply to all covered entities and covered services provided by third parties • Higher expectations for those systems deemed critical to be the sector (sector-critical systems) and services that support those systems Key definitions • Internal dependency: business assets (i.e., workforce, data, technology and facilities) upon which the firm depends to deliver services, as well as the information flows and interconnectedness among those assets. Sources of such risks include insider threats, data transmission errors and the use of legacy systems acquired through a merger. • External dependency: Relationships with outside vendors, suppliers, customers, utilities (e.g., power and utilities), and other external organizations and service providers, upon which it depends to deliver services, as well as the information flows and interconnectedness between the entity and the external parties. It is crucial to manage interconnection risks associated with non-critical external parties that maintain trusted connections to important systems. Embedding cyber risk across the organization The ANPR explicitly calls on firms to integrate their formalized cyber risk management strategy, and associated internal and external dependency management strategies, into their overall strategic plans and strategic risk management processes. Implicitly, this would require firms to embed cyber risk assessments into: • Due diligence and analysis regarding corporate development and mergers, acquisitions and dispositions • The approval process for new products • FinTech initiatives and acquisitions • New digital platforms • Their alliance-partner relationships Inevitably, this would require firms to incorporate cyber risks into their stress testing and capital planning processes, their material risk identification processes, and their stress-test scenario design. Cyber risks would also need to be covered in recovery and resolution plans.
  • 3. 3Enhanced cyber risk management standards for financial institutions | Why is the cyber ANPR so significant? Financial services regulators have long issued interagency guidance on information security, cybersecurity, and information technology, particularly through the Federal Financial Institutions Examination Council (FFIEC). To date, much of this has been guiding principles, and not binding. It has been used by financial service supervisors and financial institutions to guide their efforts to strengthen the industry’s cybersecurity efforts. The new cyber ANPR is much more demanding. It stands apart for four key reasons: 1. It is aimed at protecting the financial system, not just institutions. 2. In effect, it would be more prescriptive than prior guidance. 3. It sets out even more enhanced expectations for sector-critical systems. 4. It calls for an enterprise-wide, three-lines-of-defense approach to addressing cyber risks. It is aimed at protecting the financial system, not just institutions In light of fast-evolving threats, vulnerabilities and technologies, and an ever-expanding and more sophisticated set of cyber attackers, financial services regulators have greatly stepped up efforts to strengthen financial institutions’ cybersecurity. Cross-industry forums supported by the U.S. Department of the Treasury, such as the Financial and Banking Information Infrastructure Committee (FIBIC), have sought to enable collaboration across the public and private sector. A major focus has been on critical infrastructures, of which financial services is key. The efforts have, for the most part, focused on helping individual firms strengthen their cybersecurity, through guidance and information sharing. The cyber ANPR takes this to another level. It purposefully takes a view of cybersecurity across the financial system, elevating the significance of understanding and actively managing the interconnectedness within and across the financial service industry. The proposals are not only aimed at the most systemic institutions in the industry; they are focused on key players (network nodes) that serve the industry. The objective is clear: strengthen the sector, as well as the institutions. The weakest link could affect the system, through contagion. Implications Firms would be required to have a much deeper and more comprehensive understanding of the role they play within their ecosystems, their unique cyber risk profile across the ecosystem, and critical dependencies on internal and external parties as a result of the interconnectedness. In effect, it would be more prescriptive than prior guidance While the proposals are principle based in fashion, they constitute what would be, if implemented rigorously, relatively prescriptive standards for impacted institutions. For example, the proposals would require: • The board of directors to have deep knowledge in cybersecurity or have direct access to relevant expertise from within or outside the firm • Second-line risk functions to include cyber risk professionals with direct and independent reporting lines to the board • A detailed board-approved cyber risk management strategy, which includes strategies to cover internal and external dependencies, to be directly linked to the firm’s broader strategic risk and risk management strategies • A board-approved cyber risk appetite and tolerances, which cover external and internal risks, that explicitly aim, over time, to reduce aggregate institutional and sector-wide cyber risk • An inventory of all business assets and their criticality, including mappings to other assets and business functions, reliance on external parties, information flows and interconnections • Prioritizing resiliency, monitoring, resources and investment to those systems deemed as sector critical • The ability to monitor in real time all external dependencies and trusted connections that support a firm’s cyber risk management strategy Any one of those requirements would be very demanding for most institutions. But together, their impact would be considerable. Implications Firms would have to fundamentally review and possibly materially update their entire cyber risk management strategy and governance. It sets out even more enhanced expectations for sector-critical systems The ANPR has a major focus on what it calls “sector-critical systems.” In defining these systems, the agencies draw on the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (issued in April 2003), by the FRB, the OCC, and the U.S. Securities and Exchange Commission.
  • 4. 4 | Enhanced cyber risk management standards for financial institutions While the paper’s definition was limited to the resumption of clearance and settlement activities in wholesale financial markets, the agencies are considering whether systems should be sector critical if they support the clearing or settlement of at least 5% of the value of transactions (on a consistent basis): • In one or more of the markets for federal funds, foreign exchange, commercial paper, US government and agency securities, and corporate debt and equity securities • In other markets (for example, exchange-traded and over-the- counter derivatives) that support the maintenance of a significant share (for example, 5%) of the total US deposits or balances due from other depository institutions in the United States The agencies are considering additional factors to identify sector- critical systems, such as substitutability and interconnectedness. Systems that provide key functionality to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (for example, due to incompatibility), could have a material impact on financial stability if they were significantly disrupted. Systems that act as network nodes to the financial sector due to their extensive interconnectedness to other financial entities could also have a material impact on financial stability if significantly disrupted. The agencies propose requiring firms that have sector-critical systems to establish and implement mechanisms to prioritize monitoring, incident response and recovery of those systems. They also propose a requirement that firms implement the most effective, commercially available controls to minimize the residual cyber risk of sector-critical systems. In addition, firms with such systems would have to: • Establish a recovery time objective (RTO) of two hours for sector-critical systems — validated by testing — to recover from a disruptive, corruptive or destructive event • Establish protocols for secure, immutable, offline storage of critical records, formatted using certain defined data standards to allow for restoration of these records by another financial institution and service provider, to cover the scenario that firms cannot recover their sector-critical systems within two hours • Implement testing that would include a range of scenarios, including severe but plausible scenarios, and that should address matters such as communications protocols, governance arrangements, and resumption and recovery practices • At the bank holding company level, measure their ability to reduce the aggregate residual cyber risk of their sector-critical systems and their ability to reduce such risk to a minimal level Implications Firms would have to determine if any of their systems could be deemed sector-critical and, if so, evaluate the impact of having to meet considerably more demanding recovery time requirements for those systems, and the impact of having to prioritize those systems over other systems. Firms’ existing approaches to testing their systems may also require strengthening. It calls for an enterprise-wide, three-lines-of-defense approach to addressing cyber risks Since the financial crisis, financial services regulators have increasingly sought to compel regulated institutions to have a fully functioning three-lines-of-defense approach to risk management. This model depends on first-line, or business-unit, accountability for managing all risk, financial and nonfinancial; second-line oversight of aggregate enterprise-wide risks and independent challenge of the first line; and third-line — internal audit— assurance of the overall risk governance approach. Above the three lines, regulators have demanded that an active, engaged, knowledgeable board of directors oversees the firm –—especially senior management — and provides credible effective challenge. The cyber ANPR explicitly outlines requirements that apply that model to cyber risks: • The board of directors would have to approve a written cyber risk management strategy and approve a specific risk appetite and tolerances for cyber risks. The board should hold senior management accountable for implementing the strategy and managing the firm within the approved risk appetite. The board will need the right skills and resources to execute this enhanced oversight role. • The first line — business units — would be expected, among other responsibilities, to assess, on an ongoing basis, cyber risks associated with business unit activities and potential vulnerabilities associated with every business asset, service and IT connection points. Business units should also identify, measure, monitor and control cyber risks consistent with the firm’s approved risk appetite and tolerances. • The second line — risk management and compliance — would be expected, among other responsibilities, to report on implementation of firm’s cyber risk management framework. It should also analyze cyber risk at the enterprise level to identify and monitor effective response to events with the potential to impact one or multiple operating units. The second line should identify and assess the firm’s material aggregate risks and determine whether actions need to be taken to strengthen risk management or reduce risk given changes in the firm’s risk profile or other conditions, with a particular emphasis on sector-critical systems. In addition, the second line should validate compliance with the firm’s cyber risk management framework and that the framework is compliant with applicable laws and regulations.
  • 5. 5Enhanced cyber risk management standards for financial institutions | • The third line — internal audit — would be expected to, among other responsibilities, assess whether the cyber risk management framework complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness and risk profile. Internal audit would also incorporate an assessment of the design and operating effectiveness of the firm’s cyber risk management approach into its overall audit plan. Implications Firms will have to review and revise organization structures; roles and responsibilities; resourcing; and strategies, policies, procedures and plans across the three lines of defense. Firms would also have to review and potentially revise board-level governance. What are the key requirements? The standards would be organized in five categories: 1. Cyber risk governance 2. Cyber risk management 3. Internal dependency management 4. External dependency management 5. Incident response, cyber resilience, situational awareness (i.e., threat intelligence) 1. Cyber risk governance In the ANPR, the agencies seek to apply enhanced standards for corporate governance and risk governance to firms’ cybersecurity approaches. The ANPR calls for strong board oversight. Proposals include requiring firms to: • Develop and maintain a written, board-approved, enterprise-wide cyber risk management strategy that is integrated into strategic plans and risk management structures and that articulates how firms: • Address inherent cyber risk (i.e., cyber risk before mitigating controls or other considerations) • Maintain an acceptable level of residual risk (i.e., cyber risk after mitigating controls or other considerations) • Maintain resilience on an ongoing basis • Establish a framework of policies and procedures to implement strategy and cyber risk tolerances consistent with the firm’s risk appetite and strategy • Manage cyber risk appropriate to nature of firm’s operations, manage residual cyber risk to level approved by board 2. Cyber risk management As noted above, the ANPR sets out expansive requirements on the first, second and third lines of defense. In addition to the issues noted above, the proposals would require the: • First line to maintain, or have access to, resources and staff with the right skill-set to meets the business unit’s cybersecurity responsibilities and to report to senior management (including the CEO), in a timely manner, so management can react appropriately to emerging cyber risks and incidents • Second line to have executives responsible for cyber risk oversight (e.g., chief information security officers) independent of business line management, who should have sufficient independence, stature, authority and resources and should report to the CEO and board of directors, as appropriate, when its assessment of cyber risks differs from that of the first-line business unit or when a unit exceeds the firm’s established cyber risk tolerances • Third line to have audit plans that evaluate the adequacy of compliance with board-approved cyber risk management framework and that cover the entire security life cycle, including penetration testing and other vulnerability assessment activities 3. Internal dependency management Firms would have to integrate an explicit internal dependency management strategy (IDMS) into the firm’s overall strategic and cyber risk management plans. The IDMS would, among other items, require firms to have: • Effective capabilities to identify and manage cyber risks associated with their business assets throughout their lifespans and to continually assess and improve, as necessary, their ability to reduce the cyber risks associated with internal dependencies on enterprise- wide basis • A current and complete awareness of all internal assets and business functions that support the firm’s cyber risk management strategy, which should be mapped to other assets and business functions, information flows, and interconnections • An inventory of all business assets on an enterprise-wide basis, prioritized by their criticality to the business functions they support, the firm’s mission and the financial sector • Track connections among assets and cyber risk levels throughout assets’ life cycles using relevant data and analysis across the firm • Appropriate controls to address inherent cyber risk in the firm’s assets, taking into account prioritization of firm’s assets and the cyber risks they pose to the firm, by: • Assessing the cyber risks of assets and their operating environment prior to deployment • Continually applying controls and monitoring assets and their operating environments (including deviations from baseline cybersecurity configurations) over the assets’ life cycles
  • 6. 6 | Enhanced cyber risk management standards for financial institutions • Assessing relevant cyber risks to the assets (e.g., insider threats to systems and data) and mitigating identified deviations, granted exemptions and known violations to internal dependent cyber risk management policies, standards and procedures 4. External dependency management With regard to external dependencies, firms would have to integrate an explicit external dependency management strategy (EDMS) strategy into firm’s strategic and cyber risk management plans. The EDMS would, among other items, require firms to have: • Effective capabilities in place to identify and manage cyber risks associated with external dependencies and interconnection risks throughout these relationships, and continually assess and improve, as necessary, their effectiveness in reducing cyber risks associated with external dependencies and interconnection risks enterprise-wide • The ability to monitor in real time all external dependencies and trusted connections that support a firm’s cyber risk management strategy • A current, accurate and complete awareness of all external dependencies and trusted connections enterprise-wide, prioritized based on their criticality to the business functions they support, including mappings to supported assets and business function • The ability to monitor the universe of external dependencies that connect to assets supporting systems critical to the firm and sector, and track connections among external dependencies, organizational assets, and cyber risks throughout their lifespans • Tracking capabilities that enable timely notification of cyber risk management issues to designated stakeholders 5. Incident response, cyber resilience, situational awareness (i.e., threat intelligence) The agencies want firms to plan for, respond to, contain and rapidly recover from disruptions caused by cyber incidents, thereby strengthening their cyber resilience and the sector. The agencies also want firms that are capable of operating critical business functions in face of attacks and of continuously enhancing cyber resilience. As such, the proposals require, among other matters, that firms: • Establish processes designed to maintain effective situational awareness capabilities to reliably predict, analyze and respond to changes in operating environment and to maintain effective incident response and cyber resilience governance, strategies and capacities that enable the organizations to anticipate, withstand, contain and rapidly recover from a disruption: • This includes ongoing situational awareness of operational status and cybersecurity posture to preempt cyber events and respond rapidly to them, establishing and maintaining profiles for identified threats to the firm, gathering actionable cyber intelligence and performing ongoing security analytics, and capabilities for ongoing vulnerability management and threat modeling. • Establish and maintain enterprise-wide cyber resilience and incident response programs, to include escalation protocols linked to organizational decision levels, cyber contagion containment procedures and communication strategies; processes to incorporate lessons learned back into the program; and cyber resilience strategies and exercises that consider wide-scale recovery scenarios designed to achieve institutional resilience, support for the sector-wide resilience, and minimize risks from interconnected parties • Establish and implement strategies to meet the firm’s obligations for performing core business functions in the event of disruption, including the potential for multiple concurrent or widespread interruptions and cyber attacks on various elements of interconnected critical infrastructure, e.g., energy and telecommunications • Establish protocols for secure, immutable, offline storage of critical records, including financial records of the institution, loan data, asset management account information and daily deposit account records, including balances and ownership details, formatted using certain defined data standards to allow for restoration of these records by another financial institution, service provider or the FDIC in the event of resolution of the firm • Conduct testing that addresses a disruptive, destructive, corruptive or another cyber event that could affect the ability to service clients and incur significant downtime that would affect the business resilience of clients; such testing would: • Address external interdependencies (e.g., connectivity to markets, payment systems, clearing entities, messaging services and other critical partners) • Be undertaken jointly where critical dependencies exist • Validate the effectiveness of internal and external communication protocols with stakeholders How will the ANPR be implemented? Within the questions posed, the agencies seek views on how the proposal should be implemented, i.e., policy statement versus detailed regulation. They offer three approaches, from the least to most prescriptive: 1. Combination of a regulatory requirement to maintain a risk management framework for cyber risks along with a policy statement or guidance that describes minimum expectations for the framework. 2. Specific cyber risk management standards (e.g., requirement for entities to establish a cybersecurity framework), which would cover the five categories noted above. For each category, the firm would have to establish and maintain policies, procedures, practices, controls, personnel and systems, as well as a corporate governance structure that supports implementation of, and compliance with, the program enterprise-wide, and necessary changes to the program due to the firm’s evolving risk profile.
  • 7. 7Enhanced cyber risk management standards for financial institutions | 3. A regulatory framework that is more detailed than approach #2, detailing specific objectives and practices covered entities would have to achieve for each of the five categories so that they can demonstrate compliance with the requirements. The agencies are seeking comments on the proposals by January 17, 2017. Contacts details for each agency can be found on the ANPR. Firms are encouraged to read the detailed proposals with a view to considering whether they should respond to the questions outlined in the ANPR. Impacted firms that wish to have input to the consultative process are advised to respond to this ANPR. EY Contacts John Doherty +1 212 773 2734 john.doherty@ey.com Jaime Kahan +1 212 773 7755 jaime.kahan@ey.com Chris Kipphut +1 704 338 0491 chris.kipphut1@ey.com Ertem Osmanoglu +1 212 773 3520 ertem.osmanoglu@ey.com Mark Watson +1 617 305 2217 mark.watson@ey.com Paul Sussex +1 212 773 2802 paul.sussex@ey.com Matt Moog +1 212 773 2096 matthew.moog@ey.com Tom Campanile +1 212 773 8461 thomas.campanile@ey.com Cindy Doe +1 617 375 4558 cynthia.doe@ey.com Dan Costa +1 212 773 5877 dan.costa@ey.com Samir Nangea +1 212 773 6742 samir.nangea@ey.com Scott Waterhouse +1 212 773 9974 scott.waterhouse@ey.com
  • 8. EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2016 EYGM Limited. All Rights Reserved. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com/anpr-cyber SCORE no. 03562-161US 1610-2067543 BDFSO ED None