Shearman & Sterling LLP | Financial Regulatory Developments Focus
Financial Regulatory Developments Focus

The following posts provide a snapshot of the principal U.S., European and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.

  • US Federal Reserve Board Vice Chairman for Supervision Discusses Financial Regulation and Cybersecurity

    Randal Quarles, U.S. Board of Governors of the Federal Reserve System Vice Chairman for Supervision, provided brief remarks at the Financial Services Roundtable 2018 Spring Conference.  Vice Chairman Quarles noted the importance of reviewing the post-crisis regulatory regime to determine which regulations may not be functioning effectively or as intended, and make changes, as necessary.  He noted the importance of evaluating the costs and benefits of regulatory initiatives as well as evaluating their effect on both the resiliency of the financial system and on credit availability and growth.  He focused in particular on the topic of cybersecurity, which he remarked is a high priority for the Federal Reserve Board.  Given the dynamic and highly sophisticated nature of cyber attacks, Vice Chairman Quarles emphasized the need for collaboration in this area, both among private sector stakeholders and between the private sector and federal financial regulators.  He noted that the Federal Reserve Board is continuing to work with other financial regulatory agencies to harmonize cyber risk-management standards and supervisory expectations to align them with existing best practices such as the National Institution of Standards and Technology’s Cybersecurity Framework.

    View full text of Vice Chairman Quarles's remarks.
  • New York State Department of Financial Services Reminds Institutions of Upcoming Deadline for Cybersecurity Certification

    New York State Department of Financial Services Superintendent Maria Vullo issued a press release reminding regulated entities and licensed persons of the NYDFS’s upcoming February 15, 2018 compliance certification deadline under New York’s cybersecurity regulation that was implemented in March of 2017.  New York’s cybersecurity regulation generally requires (i) that regulated entities establish, review and assess cybersecurity policies and procedures designed to protect consumer data, (ii) that regulated entities have a Chief Information Security Officer, and (iii) that the policies and procedures are approved by an entity’s board of directors or a senior officer.  Covered entities and individuals will be required to submit the certification, which attests to compliance with New York’s cybersecurity regulation for 2017, through the NYDFS’s cybersecurity portal.  The press release also provides a link to a series of frequently asked questions regarding the cybersecurity regulation generally, and the upcoming filing deadline, including which subparts of the regulation are applicable to this year’s certification, and those that will be applicable to the 2019 certification.  Superintendent Vullo also announced that the cybersecurity evaluation will be incorporated into all NYDFS examinations of regulated entities.

    View full text of the press release.
  • European Banking Authority Issues Guidelines for Assessing and Managing Security and Operational Risks in Payment Services

    The European Banking Authority has published finalized guidelines to assist payment services providers to conduct appropriate risk assessment and risk management of operational and security risks. The finalized guidelines contain some changes from the draft guidelines on which the EBA launched a consultation in May 2017.

    Read more.
  • G20 Leaders Outline Action Plan Following Hamburg Summit

    The G20 Leaders met in Hamburg, Germany on July 7-8, 2017 and have published a Leaders' Declaration and an Action Plan setting out the G20's strategy for achieving strong, sustainable, balanced and inclusive growth. The Action Plan includes ongoing and planned work on financial sector regulation and development.

    Read more.
  • New York's Department of Financial Services Issues Updated Cybersecurity FAQs

    New York’s Department of Financial Services issued FAQs on its new cybersecurity requirements. Among other things, the updated guidance confirms that a financial services firms that are regulated by the DFS, referred to as a “covered entity”, may adopt an affiliate’s cybersecurity program, in whole or in part, so long as the covered entity’s overall cybersecurity program meets the requirements under DFS regulations. In addition, to the extent that an entity relies on an affiliate’s cybersecurity procedures in whole or in part, those policies and procedures must be made available for examination by the DFS.

    View the FAQs.
  • New York State Department of Financial Services Finalizes Cybersecurity Regulation

    The New York State Department of Financial Services issued its final cybersecurity regulation for financial services companies. The final regulation, which takes effect March 1, 2017, requires banks, insurance companies, and other financial services institutions regulated by the NYSDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data based on an assessment of its risk profile. The NYSDFS initially proposed the regulation in September 2016 and then revised and re-proposed the regulation in December 2016. The final rule requires that the program be adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization. Additionally, the officer of each covered financial services companies must annually certify their compliance to the NYSDFS. The final rule contains several changes from the original proposal including clarification on the ability of a covered financial services company to rely on an affiliate’s cybersecurity program to satisfy the rule and expanded exemptions including for entities with limited activities in New York.

    View the final rule.
  • Federal Banking Agencies Extend Comment Period for Advance Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards

    The Federal Reserve, the OCC and the FDIC extended the comment period on an advance notice of proposed rulemaking on enhanced cyber risk management standards. The proposal, originally issued on October 26, 2016, addressed enhanced cyber risk management standards for large and interconnected entities under the supervision of the federal banking agencies. The proposal addressed five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. In its notice announcing the extension of the comment period, the federal banking agencies noted that the range and complexity of the issues addressed in the proposal resulted in the extension of the public comment period. All comments on the proposal are due on February 17, 2017.

    View text of notice of extension of comment period.
  • York State Department of Financial Services Reproposes Cybersecurity Regulation

    The New York State Department of Financial Services (NYSDFS) reproposed its first-in-the-nation cybersecurity regulation to protect New York State from the threat of cyber-attacks. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies and other financial services institutions regulated by NYSDFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

    The NYSDFS considered comments submitted regarding the previously proposed regulation during a 45-day comment period, which ended on November 14, 2016, and has incorporated appropriate comments in the updated regulation that will be‎ subject to an additional final 30-day notice and public comment period. The NYSDFS will focus its final review on any new comments that were not previously raised in the original comment process.

    View reproposed regulation.
  • US Federal Reserve Board, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.

    The US Federal Reserve Board, OCC and FDIC jointly released an advanced notice of proposed rulemaking seeking comments on enhanced cybersecurity risk-management and resilience standards. The new rule would apply to any depository institution or holding company with consolidated assets of at least $50 billion, foreign banking organizations with total US assets of at least $50 billion and financial infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board.

    Read more

  • G7 Publishes Fundamental Elements of Cyber Security for the Financial Sector

    The G7 Cyber Expert Group published a statement on the fundamental elements of cyber security in the financial sector. The high-level elements are intended to assist a financial sector entity to design and implement their cyber security strategy and operating framework as well as to guide public authorities in developing their policies. The elements include the establishment of a cybersecurity strategy and operating framework, governance, risk and control assessments, monitoring, timely and proportionate responses to a cyber incident, the recovery of operations and remediation following a cyber security event, sharing information and reviewing the strategy and framework regularly to address relevant changes. The elements are not legally binding. 

    View the elements of cyber security.
  • International Task Force to Review Cyber Security of Wholesale Payments

    The Bank for International Settlements' Committee on Payments and Market Infrastructures announced that it had established a task force to review the security of wholesale payments that involve banks, financial market infrastructures and other financial institutions. The CPMI is tasked with setting global standards for payment, clearing and settlement services. The first phase will involve a review of current practices in the area, with future efforts to be determined based on the findings. The task force follows efforts by the CPMI on cyber security and operational risk, including publication of the Guidance on cyber resilience for financial market infrastructures, and the CPMI-IOSCO Principles for Financial Market Infrastructures.

    View the press release

    View the Guidance on cyber resilience.

    View the Principles for Financial Market Infrastructures
  • NYS Financial Services Department Proposes Cybersecurity Regulations

    The New York State Department of Financial Services proposed regulations requiring banks, insurance companies and other NYDFS-regulated institutions to promptly adopt a cybersecurity program and setting forth certain minimum standards with respect to such program. As part of the establishment of a cybersecurity program, each covered entity would be required to, among other things, adopt a written cybersecurity policy, designate a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties.  Institutions would also be required to comply with additional requirements in order to protect the confidentiality, integrity and availability of information systems.  The proposed regulations would also require senior management of covered entities to file an annual certification confirming compliance with the regulations, beginning in January 2018.

    The NYDFS notes that while these regulatory minimum standards are warranted, it is not the intention that such standards be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. The proposed regulations are subject to a 45-day notice and public comment period before their final issuance.

    View proposed regulations.
  • US National Institute of Standards and Technology Seeks Cybersecurity Information in Digital Economy

    The US NIST issued a request for information regarding current and future cybersecurity initiatives in the digital economy in connection with its directive to support the Commission on Enhancing National Cybersecurity. The Commission will ultimately make recommendations on actions that can be taken to strengthen cybersecurity in both the public and private sectors. NIST is seeking information on current trends, progress being made, short-term initiatives and perceived long-term challenges in respect of several topics relating to cybersecurity as the Commission formulates recommendations intended to “increase the protection and resilience of the digital ecosystem.” Topics on which the Commission is soliciting information include: critical infrastructure cybersecurity, cybersecurity research and development, international markets and the internet of things. Comments were due on September 9, 2016.

    View NIST Request for Comment.
  • New EU Directive on Security of Information Systems 

    A new Directive on cyber security was published in the Official Journal of the European Union. The Directive aims to achieve a common level of security of network and information systems within the EU. It requires all Member States to adopt a national strategy on the security of network and information systems and establishes security and notification requirements for operators of essential services and for digital service providers. The Cyber Security Directive applies to certain credit institutions, any operator of a trading venue and central counterparties. 

    Read more.
  • US Office of Inspector General to Audit Federal Reserve Board's Oversight of Cybersecurity Threats

    As part of its Work Plan for the fourth quarter, the Federal Reserve Board’s Office of Inspector General announced that it will audit the Federal Reserve Board’s oversight of cybersecurity threats to financial institutions. According to the OIG, the growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions. The OIG will focus its review on how the Federal Reserve System’s examination process has evolved and whether it is providing adequate oversight of financial institutions’ information security controls and cybersecurity threats.

    View OIG Work Plan.
  • US Federal Financial Institutions Examination Council Issues Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks

    The US Federal Financial Institutions Examination Council issued a statement to remind financial institutions to actively manage risks associated with interbank messaging and wholesale payments networks in light of recent terror attacks. The statement does not contain new regulatory expectations related to IT risk management, but rather, alerts financial institutions as to specific risk mitigation techniques to prevent such attacks. The statement encourages financial institutions to review their risk management practices and controls, including authentication, authorization, fraud detection, and response management systems and processes.

    View the statement.
  • Chief Information Officer of US Federal Deposit Insurance Corporation Testifies before the US House of Representatives on Information Security

    Chief Information Officer and Chief Privacy Officer of the US Federal Deposit Insurance Corporation, Lawrence Gross, testified before the Committee on Science, Space, and Technology of the U.S. House of Representatives’ Subcommittee on Oversight. He discussed the FDIC’s information security program and its ability to identify, analyze, report and remediate data security incidents. Gross noted that employees and contractors receive annual training to ensure they will report incidents when they have access to sensitive information. The FDIC also has a security incident response and escalation plan in place to ensure the systematic gathering and analysis of facts relevant to the incident, and an interdisciplinary team responsible for determining the appropriate course of action if there is an elevated risk of harm. After all facts have been gathered, the FDIC takes steps to mitigate the risk of harm and undertake appropriate reporting and notifications commensurate to the severity of the incident.  Gross also detailed several remedial steps the FDIC is currently taking to further lower the risk of sensitive information being exposed.
  • Industry Associations Publish Principles on International Cyber Security, Data and Technology

    Several industry associations jointly published a paper titled International Cybersecurity, Data and Technology Principles and urged the Financial Stability Board and the International Organization of Securities Commissions to take the Principles into account when developing policy and standards on cyber security, data and technology. The industry associations believe that cyber security for global financial institutions can only be addressed at an international level and are concerned that the rules of individual jurisdictions may lead to technology systems of global businesses becoming disintegrated, resulting in harm to competition, innovation and investors. The industry associations recommend that the Principles should be taken into account when any country creates laws, regulations, rules or standards on cyber security that could affect the framework of financial services firms that operate on a global basis. The industry associations are the European Banking Federation, the Global Financial Markets Association and the International Swaps and Derivatives Association.

    View the Principles
  • International Report on Cyber Security in Securities Markets 

    The International Organization of Securities Commissions published a report on cyber security in securities markets from an international perspective. The purpose of the report is to assist IOSCO members and market participants to enhance their cyber security in securities markets. The report outlines from an international perspective the various approaches adopted by market participants and the initiatives implemented by different regulators. The report focuses on the main regulatory challenges associated with cyber security issues across reporting issuers, trading venues, market intermediaries, asset managers and financial market infrastructures. The report states that regulators could cooperate to improve cyber security through the exchange of information on threats, security vulnerabilities and previous cyber-attacks that could ultimately be relevant for other regulated entities and market participants. Specifically, information on methods used by cyber criminals, exploited vulnerabilities they are aware of, ways of preventing similar attacks previously committed and emerging cyber risk trends. IOSCO concludes that the fluid nature of securities markets requires market participants and regulators to constantly evolve their responses to cyber security issues.

    View the report.
  • Federal Reserve Bank of Boston President Offers Perspectives on Economic and Cyber Risks

    While speaking at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference, Boston Fed President Eric Rosengren addressed risks in the cyber realm, noting that such risks are not abating. In Rosengren’s view, banking organizations need to continue to evolve as these risks morph, and as new innovations and expectations of convenience introduce new challenges to security. Rosengren stated, “cyber risks make it imperative that we all work together to ensure that resiliency, monitoring, detection, and recovery capabilities are operational in the financial system.”

    View Rosengren’s remarks
  • US Deputy Treasury Secretary Sarah Bloom Raskin Provides Remarks on Cyber Security

    US Deputy Treasury Secretary Sarah Bloom Raskin discussed the steps financial sector participants should take to respond and recover from a cyber attack. She noted that the key to an effective response and recovery involves preparation, coordination and practice, especially given that in a widespread cyber attack on the financial system, time would be of the essence. While the financial system has not yet experienced such an attack, Raskin warned that recent interconnected cyber attacks, including large-scale Distributed Denial of Service (DDoS) attacks, theft and misuse of customer data and destruction of systems and data, suggest that coordination is imperative in the face of such large-scale attacks. Moreover, Raskin discussed the government’s, and specifically, the US Treasury’s role in responding to, and helping the financial sector recover from, such an attack. Specifically, she mentioned the Treasury’s role in coordinating with federal and state financial and banking regulators, as well as other government agencies to effectively communicate information and to enhance incident response preparation, including response playbooks and cybersecurity table-top exercises. Raskin encouraged the private sector to create robust cyber incident playbooks which identify key players, actions and timelines to be employed in the event of a cyber attack.

    View Deputy Treasury Secretary Raskin’s speech.
  • US Comptroller of the Currency Discusses Cross-Border Cooperation and De-Risking

    US Comptroller of the Currency Thomas Curry discussed the importance of international cooperation and comprehensive cross-agency, cross-border approaches to cybersecurity and the fight to prevent money laundering. Comptroller Curry also addressed the issue of risk re-evaluation, commonly known as de-risking, which involves banks evaluating the BSA/AML risks posed by their customers and foreign correspondent banks. He noted that while these relationships may pose legitimate risks, there may be important reasons to preserve such relationships, a decision that the OCC does not dictate but leaves to the banks. Comptroller Curry noted that the OCC is in the process of gathering information through the supervisory process as to how banks conduct re-evaluation, including how they implement policies and procedures for evaluating customer risks, whether banks have policies on risk re-evaluation and how decisions to terminate such relationships are made and reviewed. He noted that the OCC may issue guidance upon completing this review.

    View speech.
  • US Federal Deposit Insurance Corporation Publishes Article Regarding Enhancing Banks' Cybersecurity Programs

    The US Federal Deposit Insurance Corporation published “A Framework for Cybersecurity” as part of the agency’s Winter 2015 issue of “Supervisory Insights”. The article addresses the current state of cyber threats and how financial institutions’ information security programs can be modified to meet evolving cybersecurity risks. The publication also provides a summary of actions taken by the FDIC individually and with other regulators in response to the increase in cyber threats.

    The latest issue of “Supervisory Insights” also includes articles on marketplace lending, recent lending conditions and risks as reported through the FDIC’s Credit and Consumer Products/Services Survey, and an overview of recently released FDIC regulations and supervisory guidance. 

    View the journal

  • US Financial Crimes Enforcement Netwrok Director Speech on financial Intelligence Data and Cyber Threats

    The Director of FinCEN, Jennifer Shasky Calvery, delivered a speech regarding FinCEN’s efforts to gather financial intelligence data and mitigate cyber threats. Director Calvery discussed methods by which FinCEN gathers data through its Bank Secrecy Act reporting stream and then uses such data to combat cyber threats. She also discussed FinCEN’s recent analytical enhancements and efforts to work alongside foreign Financial Intelligence Units in order to identify information that could be helpful in preventing cyber incidents. Finally, she stressed the importance of information sharing among law enforcement, the private sector, government and international counterparts to recognize and cope with threats to the financial system.

    View the speech.
  • European Union Agency for Network and Information Security Reports on the Secure Use of Cloud Computing in the Finance Sector

    The European Union Agency for Network and Information Security published a report on the secure use of cloud computing in the finance sector. ENISA makes recommendations to financial institutions, national regulators as well as cloud service providers that aim to facilitate the secure adoption of cloud services in the finance sector. According to ENISA, the following are key issues that are hampering the adoption of cloud services by financial institutions: (i) financial institutions and their national regulators are unconvinced about the security benefits of cloud computing even though security is considered very important by CSPs and risk assessments have been carried out by various expert bodies, including ENISA; (ii) lack of detailed guidance on the relevance of national regulations for cloud computing; and (iii) guidance from national regulators on meeting regulatory requirements when adopting cloud computing needs to be further developed. ENISA makes several recommendations, including: (i) national regulators, financial institutions and CSPs should develop effective communication and collaboration to assist the cloud market to evolve quicker; (ii) financial institutions should develop a cloud computing strategy, adopting a risk-based approach to moving to the cloud; (iii) CSPs should work to increase the level of transparency about cloud offerings for financial institutions and their regulators; and (iv) the European Commission, European Agencies and industry bodies should work together to improve the understanding of cloud computing.

    View the report.
  • Committee on Payments and Market Infrastructures and International Organization of Securities Commissions Consultation on Cyber Resilience

    The Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions published a consultation paper related to guidance on cyber resilience for Financial Market Infrastructures. The guidance aims to encourage FMIs to pre-empt and respond rapidly to cyber-attacks and deals with five primary risk management categories that are significant for the cyber resilience of FMIs: (i) governance; (ii) identification; (iii) protection; (iv) detection; and (v) response and recovery. The guidance states that continuous improvements to systems must be made to maximize cyber resilience, that it is imperative for FMIs to resume operations rapidly and safely after a successful cyber-attack and that senior management attention is critical to cyber resilience strategy. Comments on the consultation are due by February 23, 2016.
    View the consultation.
  • Remarks by US Deputy Secretary of the Treasury Sarah Bloom Raskin at The Clearing House Annual Conference

    US Deputy Secretary of the Treasury, Sarah Bloom Raskin, delivered a speech at The Clearing House annual conference discussing cybersecurity and resiliency in the financial services sector. Raskin emphasized the need for greater cooperation among financial sectors and governments globally in order to mitigate cybersecurity threats. She also stressed the importance of financial institutions embedding cybersecurity into their risk management and control procedures, practicing basic “cyber hygiene” by bolstering the resiliency of computer systems and preparing a recovery playbook for significant cyber incidents.

    View the speech.
  • Expansion of the US Board of Governors of the Federal Reserve System's Emergency Communications System

    The Federal Reserve Board issued SR Letter 15-10/CA 15-8 to announce the expansion of its Emergency Communications System – a service that maintains a database of emergency contacts to allow the Federal Reserve System staff to communicate with financial institutions in case of a natural disaster or operational emergency. The expansion will require supervised institutions to identify and register "designated cyber emergency contact(s)" that Federal Reserve staff may contact in the case of cyber emergencies. The Federal Reserve will periodically test the system to verify the contact’s business telephone number and e-mail address and the confirmation of delivery of test messages.

    View the Federal Reserve Board press release.

    View the SR Letter 15-10/CA 15-8.

  • US Office of the Comptroller of the Currency Highlights National Cybersecurity Awareness Month

    The Comptroller of the Currency, Thomas J. Curry, issued a statement recognizing October as National Cybersecurity Awareness Month, as designated by President Obama. Mr. Curry stated that the goal of the month is to “raise awareness of threats to the data systems that have become part of our everyday lives and to encourage each of us to take steps to safeguard those systems.” Mr. Curry’s statement noted the increasing prevalence of cybersecurity breaches and encouraged banks/thrifts and supervisory agencies to work together to prevent breaches and to ensure that institutions have a plan in place to effectively detect, assess, and respond to cyber-attacks.

    View the press release.
  • US Securities and Exchange Commission Charges Investment Advisor with Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach

    The US Securities and Exchange Commission announced that R.T. Jones Capital Equities Management, an investment adviser, agreed to settle charges regarding its failure to follow guidelines for cybersecurity policies and procedures, which resulted in a breach which compromised the personally identifiable information of approximately 100,000 individuals. Federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. The SEC investigation found that R.T. Jones Capital Equities Management violated this "safeguards rule" for approximately four years before the breach by failing to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information. The SEC's order found that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. In the settlement, R.T. Jones agreed to cease and desist from future violations of Rule 30(a) as well as pay a $75,000 penalty.

    View the SEC press release.
  • US Deputy Comptroller Discusses Cybersecurity

    The US Office of the Comptroller of the Currency Deputy Comptroller for Compliance Operations and Policy, Grovetta Gardineer, discussed the cybersecurity assessment tool issued by the Federal Financial Institutions Examination Council in June 2015. According to Gardineer, the tool provides a common framework for assessment across institutions and represents a step forward in terms of supervision of banks and thrifts in cybersecurity. While the use of the cybersecurity tool is optional for financial institutions, it will be used by OCC examiners to supplement their exam work and to obtain a stronger and more complete understanding of the cybersecurity risks faced by financial institutions.

    View press release.

    View the speech.
  • Bank of England Publishes Financial Stability Report Identifying Main Current Risks in UK Financial System

    The Bank of England published its Financial Stability Report which identifies the main current risks in the UK financial system. The report sets out recommendations made by the Financial Policy Committee on Additional Tier 1 capital for the purposes of the minimum leverage ratio requirement. The report recommends to the Prudential Regulation Authority that AT1 capital should be counted towards Tier 1 capital only if the relevant capital instrument specifies a trigger event that occurs when the Common Equity Tier 1 capital ratio of the institution falls below 7%. The report also directs the BoE, PRA and Financial Conduct Authority to work with firms to complete cyber‑attack resilience assessments (also known as CBEST tests), adopt cyber‑resilience action plans and establish arrangements for CBEST tests to become regular cyber resilience assessments within the UK financial system. The report also refers to recommendations on the new UK leverage ratio framework which are discussed in further detail below.

    View the report.
  • US Federal Financial Institutions Examination Council Develops Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors

    The Federal Financial Institutions Examination Council – an interagency body composed of the US Board of Governors of the Federal Reserve System, the FDIC, the US National Credit Union Administration, the US Office of the Comptroller of the Currency, and the US Consumer Financial Protection Bureau – announced its release of a Cybersecurity Assessment Tool. The tool, together with other resources made available by the FFIEC to financial institutions, is available for all financial institutions regardless of asset size and is intended to aid senior management and boards of directors of financial institutions to assess cybersecurity risk and preparedness.

    View the Federal Reserve Board press release.

    View the cybersecurity assessment tool.

  • UK Government Reports on Cyber Risk Insurance

    The UK Government published a report on managing and mitigating cyber security risks with cyber insurance. The report details how insurers and insurance can play a role in reducing cyber security risks. The report notes that there is a lack of awareness that insurance is available for cyber risk and recommends that firms review their cyber risk management to include a board-level assessment for cyber risk, and draw up recovery plans and use stress testing to confirm financial resilience against cyber threats. The report also gives details of its new industry supported scheme, Cyber Essentials, which was developed as part of the UK’s National Cyber Security Program and guides businesses in protecting themselves against cyber threats.

    View the report