Groups wary of imposing board-level cyber-requirements
Financial services industry groups want regulators to be cautious about imposing requirements on banks’ boards as they seek to boost cyber-security in the industry.
The Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation in October sought comment on an advance notice of proposed rulemaking (ANPR) regarding potential enhanced cyber-risk management standards for both the large and interconnected firms they supervise and those firms’ service providers.
The firms that would need to meet any new standards are: depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the US operations of foreign banking organizations with total US assets of $50 billion or more, and financial market infrastructure companies and non-bank financial companies supervised by the Fed.
‘The agencies are considering establishing enhanced standards to increase the operational resilience of these entities and reduce the impact on the financial system in case of a cyber-event experienced by one of these entities,’ officials wrote at the time.
The ANPR addresses five categories of cyber-standards:
- Cyber-risk governance
- Cyber-risk management
- Internal dependency management
- External dependency management
- Incident response, cyber-resilience and situational awareness.
The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial services industry.
Among other things, the agencies stated in the ANPR that they are considering requiring boards of directors to have adequate expertise in cyber-security or to have access to resources or staff with such skills. ‘Consistent with existing agency expectations, the enhanced standards would require the board of directors to have and maintain the ability to provide credible challenge to management in matters related to cyber-security and the evaluation of cyber-risks and resilience,’ they wrote.
In a joint comment letter filed last month, the Securities Industry and Financial Markets Association (Sifma), American Bankers Association (ABA) and Institute of International Bankers (IIB) write that they agree financial institutions should establish processes to ensure their boards of directors are actively engaged in establishing and reviewing firms’ risk profiles. They also agree it is important boards have access to internal, external and independent experts to ensure the board adequately understands cyber-security risks.
‘But the composition of a board should be driven not by a specific skill set but by the overall experience of each member and the combination of experience across the board,’ they argue. ‘Additionally, prescriptive requirements that a board approve specific policies and procedures may lead to unnecessary rigidity or interference with the board’s evaluation of the best method to supervise the firm’s management of cyber-security risk.’
The groups urge the agencies to avoid imposing a rule ‘that would interfere with the board’s independence, composition or ability to determine what is in the best interest of the firm.’
Sifma, the ABA and IIB say their member firms dedicate large amounts of resources both to protecting against cyber-crime and complying with ‘an expanding, and often overlapping, set of cyber-security regulations.’ Indeed, they say, firms report that 40 percent of corporate cyber-security activities are compliance-related rather than security-related.
The industry groups complain that the ANPR risks undermining their members’ cyber-security efforts by failing to fully recognize extensive efforts firms have already made to implement risk-based approaches such as the National Institute of Standards and Technology’s (NIST) cyber-security framework and existing federal requirements.
They argue that the ANPR proposes several standards of a prescriptive rather than risk-based nature, including: applying the standards to entities with $50 billion in assets regardless of risk, establishing a specific recovery time objective (RTO) of two hours for certain systems, prescribing specific allocations of responsibility for different lines of risk management, and requiring offline storage and restoration of critical records.
‘We request that any final rule issued by the agencies adopt a risk-based approach consistent with the approach adopted by voluntary frameworks such as the [NIST framework] and further elaborated in the [Federal Financial Institutions Examination Council’s cyber-security assessment tool], setting control objectives rather than prescriptive requirements,’ officials with Sifma, the ABA and the IIB write.
Taking this approach would allow firms to use their existing programs to comply with the cyber-security requirements of the agencies and other regulators, they add.
The enhanced standards should be applied based on the potential for a cyber-incident to affect the safety and soundness of the financial sector as a whole, the groups argue. Although the size of an institution is one factor in that analysis, the ANPR should also take into account risk factors such as the critical business functions a firm is responsible for and the importance of these activities relative to the overall market.
They also urge the regulators to drop ‘impractical and technically infeasible requirements.’ For example, they say, imposing a two-hour RTO for industry-critical systems is not technically feasible and ‘might have the unintended consequence of restoring a system to operation before the nature of the threat or the effects of the event have been fully understood and remediated.’
In addition, the groups ask for greater clarity on the mechanism the regulators would use to apply the enhanced standards directly to third parties, and which third parties they intend to include in the scope of the planned standards.