The following posts provide a snapshot of the principal U.S., European and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.
UK Court Grants Asset Preservation Order over Bitcoin
A U.K. court has granted an asset preservation order over Bitcoin stolen in a "spear phishing" attack on a major crypto-currency trader. The decision confirms that proprietary claims over Bitcoin constitute serious issues that should be tried in the courts. Although the presiding judges did not make a final ruling on the legal questions surrounding the nature of Bitcoin ownership, it is believed that this is the first time the English courts have considered the nature of crypto-currencies as property.
UK Financial Conduct Authority Issues Response to EU Opinion on Strong Customer Authentication
The U.K. Financial Conduct Authority has issued a statement confirming its intended approach to enforcing firms' compliance with EU "strong customer authentication" rules that will apply across the EU from September 14, 2019.
European Banking Authority Publishes Opinion on Strong Customer Authentication Under Payment Services Directive
The European Banking Authority has published an Opinion on market approaches to payment authentication that will be deemed compliant with the new rules on strong customer authentication coming into force later this year.
European Commission Publishes Report on Implementation of Wire Transfer Regulation
The European Commission has published a report detailing: (i) the extent to which Member States have implemented the sanctions and monitoring sections of the EU Wire Transfer Regulation; and (ii) the particular sanctioning activities that national regulators have adopted under the Regulation. The Commission was obliged to provide the report to the European Parliament and Council of the European Union under the Wire Transfer Regulation. Although Member States are not obliged to take specific steps in response to the report's findings, the Commission concludes the report by stating its intention to continue to support Member States in their implementation of the Wire Transfer Regulation and reserves the right to take further measures to ensure the Regulation is correctly implemented by all Member States.
Bank of England Publishes Report on the Future of the UK Financial System and the Bank's Priorities for the Future
Huw van Steenis, the Bank of England financier appointed by the BoE in 2018 to review the future of the U.K. financial system, has published his "Future of Finance" report, setting out a vision for the medium-term future of the U.K. financial system and the BoE's role in supporting that. The report was based on consultations with entrepreneurs, financiers, tech firms, global investors, consumer groups, charities, policymakers and business leaders across the U.K. and overseas. In response, the BoE has published a document which sets out the actions it intends to take to deal with the challenges and opportunities identified in the report.
Basel Committee on Banking Supervision Discusses Supervisory Initiatives and Approves Implementation Reports
Central bankers and banking supervisors of the Basel Committee on Banking Supervision met this week to discuss a range of policy and supervisory initiatives.
International Cyber Task Force Reports on Cyber Regulation
The International Organization of Securities Commissions has published the final report of its Cyber Task Force on cyber regulation. The report sets out how IOSCO member jurisdictions apply three recognized cyber frameworks - the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures; the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity; and the International Organization for Standardization 27000 series standards. The Cyber Task Force does not propose that IOSCO issues any further guidance on this topic, as this could lead to duplication. The report is instead intended to be a resource for financial market regulators and firms, to raise awareness of existing cyber guidance and to encourage the adoption of good practices. The Cyber Task Force recommends that IOSCO's member jurisdictions use these standards to close any gaps in their existing cyber frameworks and that further work is undertaken to establish where those gaps are.
View the report.
Financial Stability Board Publishes Progress Report on Cyber Incident Response
The Financial Stability Board has published a progress report on the activities and work plan of its Cyber Incident Response and Recovery working group. The working group was established in 2018 with a mandate to develop a toolkit of practices for financial institutions and authorities in preparing for and dealing with cyber incidents.
UK Secondary Legislation Published to Combat Cyber-Attacks
The Cyber-Attacks (Asset-Freezing) Regulations 2019 have been made and will come into force on June 11, 2019.
The U.K. Regulations put in place measures applicable to U.K. nationals, U.K. incorporated entities and certain regulated institutions that will help enforce the financial sanctions provisions of the EU's new Cyber-Attacks Regulation, which came into force on May 18, 2019. The Cyber-Attacks Regulation is designed to combat cyber-attacks emanating from outside the EU against EU institutions and Member States. Its provisions include granting the Council of the European Union the ability to freeze assets of persons or entities suspected of involvement in such attacks. In order to enforce the sanctions regime throughout the EU, Member States are required to put in place legislation specifying the penalties that will be imposed upon those found to be implicated in a breach of the EU Cyber-Attacks Regulation.
EU Council Regulation to Combat Cyber-Attacks Published
The EU Council Regulation concerning restrictive measures against cyber-attacks threatening the European Union or its Member States came into force on May 17, 2019 and will apply directly across the EU from May 18, 2019.
UK Financial Conduct Authority Reports on Cyber Security Resilience in Financial Services
The Financial Conduct Authority has published a report entitled "Cyber and Technology Resilience: Themes from cross-sector survey 2017-2018." The FCA compiled the report by requesting 296 firms during 2017 and 2018 to provide a self-assessment of their cyber and technological capabilities, focusing on governance, delivery of change management, managing third-party risks and the effectiveness of cyber defenses. The FCA analyzed the responses and considered data from firm's responses to recent operational incidents to produce the report.
UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector
The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.
The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.
Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.
View the announcement.
Financial Stability Board Publishes Cyber Lexicon
The Financial Stability Board has published the final Cyber Lexicon of terms related to cyber security and cyber resilience. The Lexicon is intended to assist the FSB, other international standard setting bodies (such as the Basel Committee on Banking Supervision, the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions), authorities and the private sector to address threats to cyber security and adopt cyber resilience measures. The FSB has also published an overview of responses to the public consultation, summarizing the main issues that emerged during the FSB's consultation on a draft lexicon and the changes adopted to address them.
European Parliament Adopts Resolution on Distributed Ledger Technologies
The European Parliament has adopted a non-legislative resolution entitled "distributed ledger technologies and blockchains: building trust with disintermediation." Of particular relevance to the financial services sector, the European Parliament is requesting that the European Commission and other EU authorities take various steps to maximize the potential of this technology in the EU.
UK Conduct Regulator Fines Retail Bank for Failures During a Cyber Attack
The U.K. Financial Conduct Authority has published a final notice issued to a U.K. Retail Bank for breaches of Principle 2 of the FCA's Principles for Businesses. Principle 2 requires authorized firms to conduct their business with due skill, care and diligence. The Bank was subjected to a cyber-attack in November 2016, when attackers deployed an algorithm to generate authentic debit card numbers that were then used to make unauthorized transactions. While the attack did not involve loss or theft of customers' personal data, the FCA found that the attack left the Bank's personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours.
UK Financial Conduct Authority Updates Guidance on its Approach to Payment Services and Electronic Money
The U.K. Financial Conduct Authority has updated its Approach Document on payment services and electronic money, to reflect final guidelines issued in December 2017 by the European Banking Authority on security measures for mitigating operational and security risks under the revised Payment Services Directive. The changes will affect all payment service providers. The FCA has also updated its webpage on reporting requirements for payment services providers and e-money issuers to reflect these changes. The webpage includes a link to the revised version of the FCA's REP018 (operational and security risk) reporting form.
The FCA will expect payment services providers to comply with the EBA guidelines, which cover issues such as operational and security risk management framework governance, the use of models, outsourcing and how functions, processes and assets should be identified, classified and risk-assessed. The EBA guidelines also cover security of data integrity, systems and confidentiality as well as physical security and asset control and communication of the security measures to payment service users. PSPs will be expected to report at least annually to the FCA on their operational and security risk management frameworks.
UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures
The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.
While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.
UK Financial Policy Committee Outlines Steps to Reduce Risks to the UK's Financial Stability
The Bank of England has published a Financial Stability Report, dated June 2018, and a record of the Financial Policy Committee Meeting held on June 19, 2018. The Report sets out the FPC's view of the U.K.'s financial stability, the resilience of the U.K.'s financial system and the risks posed to each of those. Where applicable, the Report also notes the steps that the FPC is taking to address the risks. The record of the meeting provides a summary of issues discussed by the FPC in June.
Financial Stability Board Issues Consultation on Developing a Cyber Lexicon
As part of its work on the protection of financial stability against the malicious use of information and communication technologies, the Financial Stability Board has published a draft cyber lexicon for consultation.
In March 2017, the FSB was asked by the G20 Finance Ministers to review and produce a stock-take report on the existing regulation, supervisory practices and guidance on cyber security in the financial sectors of G20 jurisdictions. The G20 welcomed the FSB's stock-take report in October 2017 and asked the FSB to continue its work and to develop a common lexicon of cyber terms.
The FSB stresses that the lexicon is not intended for use in the legal interpretation of any international arrangement or agreement or any private contract. The use of the cyber lexicon will not be mandatory. Its purpose is to support the work of the FSB, standard-setting bodies, national authorities and private sector participants to address, and develop guidance on, cyber security and cyber resilience in the financial sector. In particular, the aim of the cyber lexicon is to create a cross-sector common understanding of relevant cyber security and cyber resilience terminology and to facilitate assessment and monitoring of financial stability risks in cyber risk scenarios.
UK Prudential Regulator Sets out Expectations on Firms' Exposures to Crypto-Assets
The U.K. Prudential Regulation Authority has published a "Dear CEO" letter, addressed to the Chief Executive Officers of banks, insurance companies and designated investment firms. The purpose of the letter is to remind firms of their relevant obligations under the PRA rules and to communicate the PRA's expectations regarding firms' exposures to crypto-assets.
Crypto-assets have exhibited high price volatility and relative illiquidity and may also be vulnerable to fraud and manipulation, which raises concerns about potential misconduct and poses issues for market integrity. The PRA's letter does not define crypto-assets, but the Financial Conduct Authority uses this term to refer to any publicly available electronic medium of exchange that features a distributed ledger and a decentralized system for exchange. The FCA recently published a "Dear CEO" letter outlining best practice for firms in handling the financial crime risks that crypto-assets can pose.
European Supervisory Authorities Make Recommendations to Address Risks in EU Securities, Banking and Insurance Sectors
The Joint Committee of the European Supervisory Authorities has published a report on risks and vulnerabilities in the EU financial system. The ESAs are the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority. The ESAs make recommendations for policy actions by the ESAs, national regulators and financial institutions. A summary of the risks and recommendations contained in the report is set out below.
- To combat cyber risks, the ESAs recommend that financial institutions should continue to improve IT systems, explore risks in the context of information security and take steps to resolve risks surrounding connectivity and outsourcing to third-party providers. The ESAs will continue to keep these risks under review. ESMA is launching a supervisory project on cloud computing outsourcing and will continue work to address supervisory convergence. The EBA is developing guidelines on the management of information and communication technology risks. EIOPA is conducting a qualitative exercise on cyber risk with national regulators and the industry.
US Federal Financial Institutions Examination Council Issues Joint Statement Regarding Cyber Insurance
The U.S. Federal Financial Institutions Examination Council members released a joint statement with respect to cyber insurance and its role in risk management. FFIEC members include the U.S. Board of Governors of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency and the U.S. Federal Deposit Insurance Corporation. The statement and corresponding press release note that the frequency, sophistication and severity of cybersecurity incidents are increasing. As a result, general insurance policies may not provide adequate coverage in the event of a cybersecurity event and cyber insurance options are increasing and evolving in response to these factors. The statement highlights that cyber insurance options vary greatly, and can be in the form of either a standalone policy or an endorsement to an existing insurance policy. The statement cautions, however, that cyber insurance should be viewed as a risk mitigation tool and not as an alternative to sound internal controls, policies and procedures to guard against cybersecurity events. The statement notes that institutions, in considering cyber insurance, should assess their existing cybersecurity risk framework to determine the potential impact and magnitude of residual risk. In weighing cost and benefits of cyber insurance, the statement suggests that institutions should consider involving multiple stakeholders in the decision-making process, perform adequate due diligence to fully understand available policies and coverage options and incorporate cyber insurance into their annual budgeting processes.
View full text of the FFIEC statement.
European Central Bank Consults on Cyber Resilience Oversight Expectations for Eurozone Financial Market Infrastructures
The European Central Bank has launched a consultation on draft "cyber resilience oversight expectations" for financial market infrastructures.
The CROE use, as a basis, the Guidance on Cyber Resilience for Financial Market Infrastructures that was published jointly in June 2016 by the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions. FMIs were required to implement immediately that Guidance, which was supplemental to the Principles for Financial Market Infrastructures published in 2012 by IOSCO and the Committee on Payment and Settlement Systems. The PFMIs were adopted by the Governing Council of the ECB in June 2013. In developing the CROE, the ECB also took into account existing international guidance documents, in particular the Cyber Security Framework published by the U.S. National Institute of Standards and Technology, the ISO/IEC 27002 good practice standard for information security, the COBIT 5 framework for the governance and management of enterprise IT, the Information Security Forum's Standard of Good Practice for Information Security and the U.S. Federal Financial Institutions Examination Council's Cybersecurity Assessment Tools.
UK Financial Conduct Authority Publishes its 2018/19 Business Plan
The Financial Conduct Authority has published its Business Plan for 2018/19 which sets out its key priorities for the coming year. The FCA confirms that it will continue to focus on issues relating to the U.K.'s withdrawal from the EU by working with the Government, ensuring appropriate transition measures for EEA firms, working towards operational readiness and cooperating at international level.
The FCA divides the remainder of its priorities into cross-sector priorities and sector priorities. There are seven cross-sector priorities: firms' culture and governance; financial crime and anti-money laundering; data security, resilience and outsourcing; innovation, big data, technology and competition; treatment of existing customers; long-term savings, pensions and intergenerational differences; and high-cost credit. There are seven sector priority areas: wholesale financial markets; investment management; retail lending; pensions and retirement income; retail investments; retail banking; and general insurance and protection. The FCA also published Sector Views for each of these sectors which provide an FCA view of how each sector was performing as of mid-2017.
Financial Stability Board Publishes Progress Update on its Work to Develop a Cyber Lexicon
The Financial Stability Board has published a Progress Update on its work on the creation of a common lexicon of terms to support the work of the FSB, standard-setting bodies, authorities and private sector participants to address cyber-security and cyber-resilience in the financial sector.
The FSB explains in the Progress Update that the cyber lexicon is not intended as a comprehensive lexicon of all cyber-security and cyber-resilience related terms. Its scope will be limited and focused on the core terms necessary to support the objective of the lexicon, which is to support the work of the above bodies, in particular by creating a cross-sector common understanding of relevant cyber security and cyber resilience terminology and by facilitating assessment and monitoring of financial stability risks in cyber-risk scenarios. It is expected that the lexicon will assist in the work of the FSB and standard-setting bodies to provide guidance related to cyber-security and cyber resilience.
European Supervisory Authorities Issue Final Report on Financial Institutions' Use of Big Data
The Joint Committee of the European Supervisory Authorities has published a final report on the use of Big Data by financial institutions. The Final Report has been prepared following feedback to a discussion paper published in December 2016 by the Joint Committee’s sub-Committee on Consumer Protection and Financial Innovation. “Big Data” is the term used to refer to situations where high volumes of different types of data, produced with high velocity from a wide variety of data sets and sources, is processed (often in real time) by IT tools, such as powerful processors, software and algorithms. Big Data tools have been in use for several years in some sectors, but less so in others. Nevertheless most respondents to the ESAs’ discussion paper agreed that Big Data may have an impact on almost all financial institutions and on their products and services. The use of Big Data techniques can help financial institutions to improve their understanding of customers’ preferences and their interactions with customers and clients. This can enable them to tailor products to their target markets and support effective product governance. However, the use of Big Data also entails risk.
US Federal Reserve Board Vice Chairman for Supervision Discusses Financial Regulation and Cybersecurity02/26/2018
Randal Quarles, U.S. Board of Governors of the Federal Reserve System Vice Chairman for Supervision, provided brief remarks at the Financial Services Roundtable 2018 Spring Conference. Vice Chairman Quarles noted the importance of reviewing the post-crisis regulatory regime to determine which regulations may not be functioning effectively or as intended, and make changes, as necessary. He noted the importance of evaluating the costs and benefits of regulatory initiatives as well as evaluating their effect on both the resiliency of the financial system and on credit availability and growth. He focused in particular on the topic of cybersecurity, which he remarked is a high priority for the Federal Reserve Board. Given the dynamic and highly sophisticated nature of cyber attacks, Vice Chairman Quarles emphasized the need for collaboration in this area, both among private sector stakeholders and between the private sector and federal financial regulators. He noted that the Federal Reserve Board is continuing to work with other financial regulatory agencies to harmonize cyber risk-management standards and supervisory expectations to align them with existing best practices such as the National Institution of Standards and Technology’s Cybersecurity Framework.
View full text of Vice Chairman Quarles's remarks.
New York State Department of Financial Services Reminds Institutions of Upcoming Deadline for Cybersecurity Certification
New York State Department of Financial Services Superintendent Maria Vullo issued a press release reminding regulated entities and licensed persons of the NYDFS’s upcoming February 15, 2018 compliance certification deadline under New York’s cybersecurity regulation that was implemented in March of 2017. New York’s cybersecurity regulation generally requires (i) that regulated entities establish, review and assess cybersecurity policies and procedures designed to protect consumer data, (ii) that regulated entities have a Chief Information Security Officer, and (iii) that the policies and procedures are approved by an entity’s board of directors or a senior officer. Covered entities and individuals will be required to submit the certification, which attests to compliance with New York’s cybersecurity regulation for 2017, through the NYDFS’s cybersecurity portal. The press release also provides a link to a series of frequently asked questions regarding the cybersecurity regulation generally, and the upcoming filing deadline, including which subparts of the regulation are applicable to this year’s certification, and those that will be applicable to the 2019 certification. Superintendent Vullo also announced that the cybersecurity evaluation will be incorporated into all NYDFS examinations of regulated entities.
View full text of the press release.
European Banking Authority Issues Guidelines for Assessing and Managing Security and Operational Risks in Payment Services
The European Banking Authority has published finalized guidelines to assist payment services providers to conduct appropriate risk assessment and risk management of operational and security risks. The finalized guidelines contain some changes from the draft guidelines on which the EBA launched a consultation in May 2017.
Financial Stability Board Meeting to Discuss Ongoing 2017-2018 Workplan
The Financial Stability Board has published a press release summarizing the outcome of its plenary meeting in Berlin on October 6, 2017, at which it considered potential vulnerabilities in the financial system and discussed a number of areas from its workplan.
G20 Leaders Outline Action Plan Following Hamburg Summit
The G20 Leaders met in Hamburg, Germany on July 7-8, 2017 and have published a Leaders' Declaration and an Action Plan setting out the G20's strategy for achieving strong, sustainable, balanced and inclusive growth. The Action Plan includes ongoing and planned work on financial sector regulation and development.
New York's Department of Financial Services Issues Updated Cybersecurity FAQs
New York’s Department of Financial Services issued FAQs on its new cybersecurity requirements. Among other things, the updated guidance confirms that a financial services firms that are regulated by the DFS, referred to as a “covered entity”, may adopt an affiliate’s cybersecurity program, in whole or in part, so long as the covered entity’s overall cybersecurity program meets the requirements under DFS regulations. In addition, to the extent that an entity relies on an affiliate’s cybersecurity procedures in whole or in part, those policies and procedures must be made available for examination by the DFS.
View the FAQs.
New York State Department of Financial Services Finalizes Cybersecurity Regulation
The New York State Department of Financial Services issued its final cybersecurity regulation for financial services companies. The final regulation, which takes effect March 1, 2017, requires banks, insurance companies, and other financial services institutions regulated by the NYSDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data based on an assessment of its risk profile. The NYSDFS initially proposed the regulation in September 2016 and then revised and re-proposed the regulation in December 2016. The final rule requires that the program be adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization. Additionally, the officer of each covered financial services companies must annually certify their compliance to the NYSDFS. The final rule contains several changes from the original proposal including clarification on the ability of a covered financial services company to rely on an affiliate’s cybersecurity program to satisfy the rule and expanded exemptions including for entities with limited activities in New York.
View the final rule.
Federal Banking Agencies Extend Comment Period for Advance Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards
The Federal Reserve, the OCC and the FDIC extended the comment period on an advance notice of proposed rulemaking on enhanced cyber risk management standards. The proposal, originally issued on October 26, 2016, addressed enhanced cyber risk management standards for large and interconnected entities under the supervision of the federal banking agencies. The proposal addressed five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. In its notice announcing the extension of the comment period, the federal banking agencies noted that the range and complexity of the issues addressed in the proposal resulted in the extension of the public comment period. All comments on the proposal are due on February 17, 2017.
View text of notice of extension of comment period.
York State Department of Financial Services Reproposes Cybersecurity Regulation
The New York State Department of Financial Services (NYSDFS) reproposed its first-in-the-nation cybersecurity regulation to protect New York State from the threat of cyber-attacks. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies and other financial services institutions regulated by NYSDFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
The NYSDFS considered comments submitted regarding the previously proposed regulation during a 45-day comment period, which ended on November 14, 2016, and has incorporated appropriate comments in the updated regulation that will be subject to an additional final 30-day notice and public comment period. The NYSDFS will focus its final review on any new comments that were not previously raised in the original comment process.
View reproposed regulation.
US Federal Reserve Board, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.
The US Federal Reserve Board, OCC and FDIC jointly released an advanced notice of proposed rulemaking seeking comments on enhanced cybersecurity risk-management and resilience standards. The new rule would apply to any depository institution or holding company with consolidated assets of at least $50 billion, foreign banking organizations with total US assets of at least $50 billion and financial infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board.
G7 Publishes Fundamental Elements of Cyber Security for the Financial Sector
The G7 Cyber Expert Group published a statement on the fundamental elements of cyber security in the financial sector. The high-level elements are intended to assist a financial sector entity to design and implement their cyber security strategy and operating framework as well as to guide public authorities in developing their policies. The elements include the establishment of a cybersecurity strategy and operating framework, governance, risk and control assessments, monitoring, timely and proportionate responses to a cyber incident, the recovery of operations and remediation following a cyber security event, sharing information and reviewing the strategy and framework regularly to address relevant changes. The elements are not legally binding.
View the elements of cyber security.
International Task Force to Review Cyber Security of Wholesale Payments
The Bank for International Settlements' Committee on Payments and Market Infrastructures announced that it had established a task force to review the security of wholesale payments that involve banks, financial market infrastructures and other financial institutions. The CPMI is tasked with setting global standards for payment, clearing and settlement services. The first phase will involve a review of current practices in the area, with future efforts to be determined based on the findings. The task force follows efforts by the CPMI on cyber security and operational risk, including publication of the Guidance on cyber resilience for financial market infrastructures, and the CPMI-IOSCO Principles for Financial Market Infrastructures.
View the press release.
View the Guidance on cyber resilience.
View the Principles for Financial Market Infrastructures.
NYS Financial Services Department Proposes Cybersecurity Regulations
The New York State Department of Financial Services proposed regulations requiring banks, insurance companies and other NYDFS-regulated institutions to promptly adopt a cybersecurity program and setting forth certain minimum standards with respect to such program. As part of the establishment of a cybersecurity program, each covered entity would be required to, among other things, adopt a written cybersecurity policy, designate a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties. Institutions would also be required to comply with additional requirements in order to protect the confidentiality, integrity and availability of information systems. The proposed regulations would also require senior management of covered entities to file an annual certification confirming compliance with the regulations, beginning in January 2018.
The NYDFS notes that while these regulatory minimum standards are warranted, it is not the intention that such standards be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. The proposed regulations are subject to a 45-day notice and public comment period before their final issuance.
View proposed regulations.
US National Institute of Standards and Technology Seeks Cybersecurity Information in Digital Economy
The US NIST issued a request for information regarding current and future cybersecurity initiatives in the digital economy in connection with its directive to support the Commission on Enhancing National Cybersecurity. The Commission will ultimately make recommendations on actions that can be taken to strengthen cybersecurity in both the public and private sectors. NIST is seeking information on current trends, progress being made, short-term initiatives and perceived long-term challenges in respect of several topics relating to cybersecurity as the Commission formulates recommendations intended to “increase the protection and resilience of the digital ecosystem.” Topics on which the Commission is soliciting information include: critical infrastructure cybersecurity, cybersecurity research and development, international markets and the internet of things. Comments were due on September 9, 2016.
View NIST Request for Comment.
New EU Directive on Security of Information Systems
A new Directive on cyber security was published in the Official Journal of the European Union. The Directive aims to achieve a common level of security of network and information systems within the EU. It requires all Member States to adopt a national strategy on the security of network and information systems and establishes security and notification requirements for operators of essential services and for digital service providers. The Cyber Security Directive applies to certain credit institutions, any operator of a trading venue and central counterparties.
US Office of Inspector General to Audit Federal Reserve Board's Oversight of Cybersecurity Threats
As part of its Work Plan for the fourth quarter, the Federal Reserve Board’s Office of Inspector General announced that it will audit the Federal Reserve Board’s oversight of cybersecurity threats to financial institutions. According to the OIG, the growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions. The OIG will focus its review on how the Federal Reserve System’s examination process has evolved and whether it is providing adequate oversight of financial institutions’ information security controls and cybersecurity threats.
View OIG Work Plan.
US Federal Financial Institutions Examination Council Issues Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks
The US Federal Financial Institutions Examination Council issued a statement to remind financial institutions to actively manage risks associated with interbank messaging and wholesale payments networks in light of recent terror attacks. The statement does not contain new regulatory expectations related to IT risk management, but rather, alerts financial institutions as to specific risk mitigation techniques to prevent such attacks. The statement encourages financial institutions to review their risk management practices and controls, including authentication, authorization, fraud detection, and response management systems and processes.
View the statement.
Chief Information Officer of US Federal Deposit Insurance Corporation Testifies before the US House of Representatives on Information Security
Chief Information Officer and Chief Privacy Officer of the US Federal Deposit Insurance Corporation, Lawrence Gross, testified before the Committee on Science, Space, and Technology of the U.S. House of Representatives’ Subcommittee on Oversight. He discussed the FDIC’s information security program and its ability to identify, analyze, report and remediate data security incidents. Gross noted that employees and contractors receive annual training to ensure they will report incidents when they have access to sensitive information. The FDIC also has a security incident response and escalation plan in place to ensure the systematic gathering and analysis of facts relevant to the incident, and an interdisciplinary team responsible for determining the appropriate course of action if there is an elevated risk of harm. After all facts have been gathered, the FDIC takes steps to mitigate the risk of harm and undertake appropriate reporting and notifications commensurate to the severity of the incident. Gross also detailed several remedial steps the FDIC is currently taking to further lower the risk of sensitive information being exposed.
Industry Associations Publish Principles on International Cyber Security, Data and Technology
Several industry associations jointly published a paper titled International Cybersecurity, Data and Technology Principles and urged the Financial Stability Board and the International Organization of Securities Commissions to take the Principles into account when developing policy and standards on cyber security, data and technology. The industry associations believe that cyber security for global financial institutions can only be addressed at an international level and are concerned that the rules of individual jurisdictions may lead to technology systems of global businesses becoming disintegrated, resulting in harm to competition, innovation and investors. The industry associations recommend that the Principles should be taken into account when any country creates laws, regulations, rules or standards on cyber security that could affect the framework of financial services firms that operate on a global basis. The industry associations are the European Banking Federation, the Global Financial Markets Association and the International Swaps and Derivatives Association.
View the Principles.
International Report on Cyber Security in Securities Markets
The International Organization of Securities Commissions published a report on cyber security in securities markets from an international perspective. The purpose of the report is to assist IOSCO members and market participants to enhance their cyber security in securities markets. The report outlines from an international perspective the various approaches adopted by market participants and the initiatives implemented by different regulators. The report focuses on the main regulatory challenges associated with cyber security issues across reporting issuers, trading venues, market intermediaries, asset managers and financial market infrastructures. The report states that regulators could cooperate to improve cyber security through the exchange of information on threats, security vulnerabilities and previous cyber-attacks that could ultimately be relevant for other regulated entities and market participants. Specifically, information on methods used by cyber criminals, exploited vulnerabilities they are aware of, ways of preventing similar attacks previously committed and emerging cyber risk trends. IOSCO concludes that the fluid nature of securities markets requires market participants and regulators to constantly evolve their responses to cyber security issues.
View the report.
Federal Reserve Bank of Boston President Offers Perspectives on Economic and Cyber Risks
While speaking at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference, Boston Fed President Eric Rosengren addressed risks in the cyber realm, noting that such risks are not abating. In Rosengren’s view, banking organizations need to continue to evolve as these risks morph, and as new innovations and expectations of convenience introduce new challenges to security. Rosengren stated, “cyber risks make it imperative that we all work together to ensure that resiliency, monitoring, detection, and recovery capabilities are operational in the financial system.”
View Rosengren’s remarks.
US Deputy Treasury Secretary Sarah Bloom Raskin Provides Remarks on Cyber Security
US Deputy Treasury Secretary Sarah Bloom Raskin discussed the steps financial sector participants should take to respond and recover from a cyber attack. She noted that the key to an effective response and recovery involves preparation, coordination and practice, especially given that in a widespread cyber attack on the financial system, time would be of the essence. While the financial system has not yet experienced such an attack, Raskin warned that recent interconnected cyber attacks, including large-scale Distributed Denial of Service (DDoS) attacks, theft and misuse of customer data and destruction of systems and data, suggest that coordination is imperative in the face of such large-scale attacks. Moreover, Raskin discussed the government’s, and specifically, the US Treasury’s role in responding to, and helping the financial sector recover from, such an attack. Specifically, she mentioned the Treasury’s role in coordinating with federal and state financial and banking regulators, as well as other government agencies to effectively communicate information and to enhance incident response preparation, including response playbooks and cybersecurity table-top exercises. Raskin encouraged the private sector to create robust cyber incident playbooks which identify key players, actions and timelines to be employed in the event of a cyber attack.
View Deputy Treasury Secretary Raskin’s speech.
US Comptroller of the Currency Discusses Cross-Border Cooperation and De-Risking
US Comptroller of the Currency Thomas Curry discussed the importance of international cooperation and comprehensive cross-agency, cross-border approaches to cybersecurity and the fight to prevent money laundering. Comptroller Curry also addressed the issue of risk re-evaluation, commonly known as de-risking, which involves banks evaluating the BSA/AML risks posed by their customers and foreign correspondent banks. He noted that while these relationships may pose legitimate risks, there may be important reasons to preserve such relationships, a decision that the OCC does not dictate but leaves to the banks. Comptroller Curry noted that the OCC is in the process of gathering information through the supervisory process as to how banks conduct re-evaluation, including how they implement policies and procedures for evaluating customer risks, whether banks have policies on risk re-evaluation and how decisions to terminate such relationships are made and reviewed. He noted that the OCC may issue guidance upon completing this review.
US Federal Deposit Insurance Corporation Publishes Article Regarding Enhancing Banks' Cybersecurity Programs
The US Federal Deposit Insurance Corporation published “A Framework for Cybersecurity” as part of the agency’s Winter 2015 issue of “Supervisory Insights”. The article addresses the current state of cyber threats and how financial institutions’ information security programs can be modified to meet evolving cybersecurity risks. The publication also provides a summary of actions taken by the FDIC individually and with other regulators in response to the increase in cyber threats.
The latest issue of “Supervisory Insights” also includes articles on marketplace lending, recent lending conditions and risks as reported through the FDIC’s Credit and Consumer Products/Services Survey, and an overview of recently released FDIC regulations and supervisory guidance.
View the journal.