Headline Verdana Bold

Similar documents
COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

CENTER for REGULATORY STRATEGY AMERICAS. Global cybersecurity compliance integrity A daunting but manageable challenge

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Anticipating the wider business impact of a cyber breach in the health care industry

The value of visibility. Cybersecurity risk management examination

Table of Contents. Sample

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

Cybersecurity and Data Protection Developments

Managing Cyber Risk. Robert Entin Executive Vice President Chief Information Officer Vornado Realty Trust

The Deloitte-NASCIO Cybersecurity Study Insights from

Emerging Technologies The risks they pose to your organisations

From Dabbling to Doing The Age of the Intuitive Enterprise

Cyber Risk and Networked Medical Devices

Global Statement of Business Continuity

Cybersecurity Assessment Tool

Building and Testing an Effective Incident Response Plan

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cyber Risks in the Boardroom Conference

Risk-based security in practice Turning information into smart screening. October 2014

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cybersecurity and the Board of Directors

FDIC InTREx What Documentation Are You Expected to Have?

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Real estate predictions 2017 What changes lie ahead?

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

Risk Advisory Academy Training Brochure

Cyber Security Incident Response Fighting Fire with Fire

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

CFOs in a new global environment Sandy Cockrell, Deloitte

INTELLIGENCE DRIVEN GRC FOR SECURITY

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Interpreting the FFIEC Cybersecurity Assessment Tool

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Achieving effective risk management and continuous compliance with Deloitte and SAP

Security and Privacy Governance Program Guidelines

Member of the County or municipal emergency management organization

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

Turning Risk into Advantage

Adopting SSAE 18 for SOC 1 reports

Cyber Espionage A proactive approach to cyber security

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Effective Cyber Incident Response in Insurance Companies

MNsure Privacy Program Strategic Plan FY

Introduction to Business Continuity Management

Cybersecurity. Securely enabling transformation and change

Spiros Angelopoulos Principal Solutions Architect ForgeRock. Debi Mohanty Senior Manager Deloitte & Touche LLP

Committee on Payment and Settlement Systems Bank for International Settlements 4002 Basel Switzerland

Incident Response Services

SFC strengthens internet trading regulatory controls

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Cybersecurity in Higher Ed

Regulating Cyber: the UK s plans for the NIS Directive

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cybersecurity & Privacy Enhancements

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Building a BC/DR Control Library and Regulatory Response Program

Cyber Security is it a boardroom issue?

SOC for cybersecurity

The New Healthcare Economy is rising up

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

M&A Cyber Security Due Diligence

Cyber Security Program

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber Risk Metrics Survey, Assessment, and Implementation Plan May 11, 2018

Webcast title in Verdana Regular

Business Continuity Planning

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cyber Incident Response. Prepare for the inevitable. Respond to evolving threats. Recover rapidly. Cyber Incident Response

Public Safety Canada. Audit of the Business Continuity Planning Program

Cybersecurity, safety and resilience - Airline perspective

Vulnerability Management. June Risk Advisory

Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

ISACA Cincinnati Chapter March Meeting

Achieving third-party reporting proficiency with SOC 2+

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Information for entity management. April 2018

HPH SCC CYBERSECURITY WORKING GROUP

FFIEC Cybersecurity Assessment Tool

Are we breached? Deloitte's Cyber Threat Hunting

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Cloud Computing Overview. The Business and Technology Impact. October 2013

GDPR: A QUICK OVERVIEW

NYDFS Cybersecurity Regulations

Presidential Documents

Cyber risk Getting the boardroom focus right

Transcription:

Headline Verdana Bold Federal Banking Agencies Issue Proposal on Cyber Risk Management Standards Standards would require largest institutions to enhance operational resilience October 2016

Executive summary On October 19, 2016, the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) (collectively, the agencies ) approved an advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management and resilience standards for supervised institutions with total assets of more than $50 billion Background The agencies observe that, as large financial institutions increasingly depend on information technology (IT) to engage in banking activities and to provide services to the financial sector, the threat of high-impact IT failures and cyber-attacks has also grown Specifically, the agencies raise concerns that a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities The ANPR seeks comment on proposed standards for how large financial institutions identify, measure, mitigate, and monitor various types of cyber risks According to the FDIC, the standards draw significantly on existing guidance and leading practices, including those issued by the National Institute of Standards and Technology (NIST) Two tiers of standards Enhanced standards These standards would apply to all systems of covered entities Sector-critical standards These standards would apply to systems of covered entities determined by the agencies to be critical to the financial system (i.e., sector-critical systems ) Five categories of enhanced standards 1 Cyber risk governance 2 Cyber risk Management 3 Internal dependency management 4 External dependency management 5 Incident response, cyber resilience Covered entities US bank holding companies (BHCs), US operations of foreign banking organizations (FBOs), US savings and loan holding companies, nonbank subsidiaries of covered BHCs, depository institutions, nonbank financial companies and financial market utilities designated for FRB supervision by the Financial Stability Oversight Council (FSOC); FRB-supervised financial market infrastructures (FMIs); third-party service providers with respect to services provided to depository institutions Comments on the ANPR are due by January 17, 2017 Source: http://www.federalreserve.gov/newsevents/press/bcreg/bcreg20161019a1.pdf Copyright 2016 Deloitte Development LLC. All rights reserved. 2

Application of enhanced standards (1 of 2) Below is an overview of the five categories of enhanced standards that would apply to all systems of covered entities Area Cyber risk governance Cyber risk management Proposed requirements Each covered entity would be required to develop and maintain a written, enterprise-wide cyber risk management strategy, as well as a framework of policies and procedures to implement the strategy, that is integrated into its overall business strategy: o For FRB-regulated entities, this would be part of the larger global risk management framework required by Regulation YY (Enhanced Prudential Standards) A covered entity would also be required to establish risk tolerances consistent with its risk appetite and strategy The board of directors (or an appropriate board committee) would be required to approve the entity s cyber risk management strategy and hold senior management accountable for establish and implementing policies consistent with the strategy The board of directors would also be required to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise The agencies are considering whether to require senior leaders with responsibility for cyber risk to be independent of business line management, and to have direct independent access to the board of directors Each covered entity would be required, to the greatest extent possible, to integrate cyber risk management into the responsibilities of at least three independent functions Business Units The agencies are considering requiring business units to assess the cyber risk associated with the unit s activities, including by ensuring that information regarding those risks is shared with senior management, including the CEO, as appropriate Independent Risk Management The agencies are considering requiring covered entities to incorporate enterprise-wide cyber risk management into the responsibilities of an independent risk management function: o This function would report to the chief risk officer (CRO) and board of directors, as appropriate, regarding implementation of the cyber risk management framework The function would be required to continually assess the firm s overall exposure to cyber risk and notify the CEO and board of directors when its assessment differs from a business unit Internal Audit The agencies are considering explicitly requiring the internal audit function to assess whether the cyber risk management framework complies with applicable laws and regulations Internal Audit would also be required to assess cyber risk as part of the overall audit plan Copyright 2016 Deloitte Development LLC. All rights reserved. 3

Application of enhanced standards (2 of 2) Area Internal dependency management External dependency management Incident response, cyber resilience, and situational awareness Proposed requirements The agencies are considering requiring covered entities to integrate an internal dependency management strategy into their overall strategic risk management plan The agencies are considering requiring covered entities to maintain a current and complete listing of all internal assets and business functions that would enable timely notification of internal cyber risk management issues The agencies are considering requiring covered entities to integrate an external dependency management strategy into their overall strategic risk management plan, and to reduce cyber risks associated with external dependencies and interconnection risks The agencies are considering requiring covered entities to maintain a current, accurate, and complete awareness of all external dependencies and trusted connections on an enterprise-wide basis based on their criticality to the business functions they support Each covered entity would be required to be capable of operating critical business functions in the face of cyber-attacks and continuously enhance its cyber resilience In addition, each covered entity would be required to establish processes designed to maintain effective situational awareness capabilities to reliably predict, analyze, and respond to changes in the operating environment The agencies are considering requiring covered entities to establish: o Effective incidence response and cyber resilience governance, strategies, and capabilities that enable them to anticipate, withstand, contain, and rapidly recover from a disruption caused by a significant cyber event o Plans to identify and mitigate the cyber risks they pose through interconnectedness to sector partners and external stakeholders to prevent contagion o Strategies to meet their obligations for performing core business functions in the event of a disruption, including the potential for multiple concurrent interruptions o Protocols for secure, immutable, off-line storage of critical records, including financial records, loan data, asset management account information, and daily deposit account records o Mechanisms to transfer business to another entity or service provider with minimal disruption and within prescribed time frames if the original covered entity or service provider is unable to perform them The agencies are also considering requiring covered entities conduct specific testing that addresses disruptive, destructive, or any other cyber event that could affect their ability to service clients, as well as testing that addresses external interdependencies Copyright 2016 Deloitte Development LLC. All rights reserved. 4

Application of sector critical standards While the five categories of enhanced standards would apply to all systems of covered entities, the agencies would impose more stringent requirements on sector critical systems Sector-critical systems Proposed definition Proposed standards Consistent with a 2003 interagency paper on sound practices to strengthen the resilience of the US financial system, the agencies are considering whether systems that support the clearing or settlement of at least 5 percent of the value of transactions in one or more of the following markets should be considered sector-critical systems for purposes of the sector-critical standards: o Federal funds, foreign exchange, commercial paper, US Government and agency securities, corporate debt and equity securities The agencies are also considering whether the following should be deemed sector-critical systems: o Systems that support the clearing or settlement of at least 5 percent of the value of transactions in other markets (e.g., exchange-traded and over-the-counter derivatives), or systems that support the maintenance of a significant share (e.g., 5 percent) of the total US deposits or balances due from other depository institutions Any services provided by third parties that support a covered entity s sector-critical systems would be subject to the same sector-critical standards The agencies are considering requiring covered entities to reduce the residual risk of sector-critical systems by implementing the most effective commercially available controls, and to substantially mitigate the risk of a disruption or failure due to a cyber event The agencies are also considering requiring covered entities to establish a recovery time objective of two hours for their sector-critical systems, validated by testing, to recover from a disruptive, corruptive, or destructive cyber event The FRB is considering requiring supervised entities, at the holding company level, to quantitatively measure their ability to reduce the aggregate residual cyber risk of their sector-critical systems and their ability to reduce such risk to a minimal level Copyright 2016 Deloitte Development LLC. All rights reserved. 5

Interaction with existing cyber requirements The standards envisioned by the ANPR would not replace existing cyber standards, including those set forth by the Federal Financial Institutions Examination Council (FFIEC), but would complement them Key takeaways Through the FFIEC, the agencies issued the Uniform Rating System for Information Technology (URSIT) in 1978, which is used by federal and state regulators to uniformly assess IT risks at financial institutions, their affiliates, and service providers: o The standards set forth by the ANPR would not replace the URSIT ratings, but could be used to inform the cyber-related elements of the URSIT rating for covered entities In 2003, the FFIEC published the first in a series of booklets on IT that comprise the IT Handbook, which provides guidance to examiners in reviewing financial institutions and services provided by third parties: o IT Handbook guidance would continue to be used to assess covered entities IT risk management In 2015, the FFIEC issued the Cybersecurity Assessment Tool, a voluntary selfassessment that financial institutions could use to help assess their cyber risks and determine their cybersecurity preparedness: o Unlike the standards that will be finalized following the public consultation, the tool does not establish binding minimum standards Similarly, the NIST Cybersecurity Framework (CSF) is a voluntary framework that may help financial institutions to manage and reduce their cyber risk: o Unlike the standards that will be finalized following the public consultation, the CSF does not establish binding minimum standards International standards As the agencies developed the ANPR, they considered June 2016 guidance from the Committee on Payments and Market Infrastructures (CPMI) and International Organization of Securities Commissions (IOSCO) on cyber resilience for FMIs Copyright 2016 Deloitte Development LLC. All rights reserved. 6

Quantifying cyber risk and implementing enhanced standards Importantly, the agencies seek feedback on a methodology for quantifying cyber risk across the industry, as well as the regulatory approach for establishing the enhanced standards set forth by the ANPR Quantifying cyber risk Noting that the agencies are seeking to develop a consistent, repeatable methodology to support the ongoing measurement of cyber risk, the ANPR states that the agencies are not aware of any consistent methodologies to measure cyber risk across the financial sector using specific cyber risk management objectives The agencies seek comment on potential methodologies to quantify inherent and residual cyber risk and compare entities across the financial sector The ANPR notes that the agencies are familiar with existing methodologies to measure cyber risk, including the FAIR Institute s Factor Analysis of Information Risk standard and Carnegie Mellon s Goal-Question-Indicator-Metric process Implementing enhanced standards The ANPR notes that the agencies are considering various regulatory approaches to establishing the enhanced standards, including: o Through a policy statement or guidance o By imposing the standards through a detailed regulation The agencies seek comment on which option to pursue to implement the standards Copyright 2016 Deloitte Development LLC. All rights reserved. 7

Proposed next steps Although the ANPR is subject to a public comment period that ends on January 17, 2017, before the agencies can take further action, covered entities should carefully analyze the proposal to determine the impact on their organization now Recommendations Each covered entity should consider the following steps before the agencies review the public comments on the ANPR and develop a formal proposal: o Assess its current policies and procedures and understand how they compare to the requirements set forth by the ANPR o Identify any gaps that would need to be addressed to comply with the standards envisioned by the ANPR o Examine its internal and external dependencies, and consider whether any significant changes are necessary to the management of such dependencies o Understand whether any current systems would qualify as sectorcritical systems, and assess whether current capabilities exist for meeting the sector-critical standards that may be established for these systems o Enhance current employee training programs with respect to cybersecurity and information systems Copyright 2016 Deloitte Development LLC. All rights reserved. 8

Contacts Edward Powers National Managing Principal Deloitte Advisory edpowers@deloitte.com +1 212 436 5599 Vikram Bhat Principal Deloitte Advisory vbhat@deloitte.com +1 973 602 4270 Walter Hoogmoed Principal Deloitte Advisory whoogmoed@deloitte.com +1 973 602 5840 Julia Kirby Managing Director Deloitte Advisory jukirby@deloitte.com +1 202 879 5685 Chris Spoth Managing Director Deloitte Advisory Executive Director, Center for Regulatory Strategies cspoth@deloitte.com +1 202 378 5016 James Caldwell Partner Deloitte Advisory jacaldwell@deloitte.com +1 704 227 1444 Julie Bernard Principal Deloitte Advisory juliebernard@deloitte.com +1 704 227 7851 Andrew Morrison Principal Deloitte Advisory anmorrison@deloitte.com +1 404 220 1170 Copyright 2016 Deloitte Development LLC. All rights reserved. 9

About the Deloitte Center for Regulatory Strategies The Deloitte Center for Regulatory Strategies provides valuable insight to help organizations in the financial services, health care, life sciences, and energy industries keep abreast of emerging regulatory and compliance requirements, regulatory implementation leading practices, and other regulatory trends. Home to a team of experience executives, former regulators, and Deloitte professionals with extensive experience solving complex regulatory issues, the Center exists to bring relevant information and specialized perspectives to our clients through a range of media including thought leadership, research, forums, webcasts, and events. www.deloite.com/us/centerregulatorystrategies This presentation contains general information only, and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2016 Deloitte Development LLC. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback