The following posts provide a snapshot of the principal U.S., European and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.
UK Financial Conduct Authority Updates Guidance on its Approach to Payment Services and Electronic Money
The U.K. Financial Conduct Authority has updated its Approach Document on payment services and electronic money, to reflect final guidelines issued in December 2017 by the European Banking Authority on security measures for mitigating operational and security risks under the revised Payment Services Directive. The changes will affect all payment service providers. The FCA has also updated its webpage on reporting requirements for payment services providers and e-money issuers to reflect these changes. The webpage includes a link to the revised version of the FCA's REP018 (operational and security risk) reporting form.
The FCA will expect payment services providers to comply with the EBA guidelines, which cover issues such as operational and security risk management framework governance, the use of models, outsourcing and how functions, processes and assets should be identified, classified and risk-assessed. The EBA guidelines also cover security of data integrity, systems and confidentiality as well as physical security and asset control and communication of the security measures to payment service users. PSPs will be expected to report at least annually to the FCA on their operational and security risk management frameworks.
UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures
The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.
While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.
UK Financial Policy Committee Outlines Steps to Reduce Risks to the UK's Financial Stability
The Bank of England has published a Financial Stability Report, dated June 2018, and a record of the Financial Policy Committee Meeting held on June 19, 2018. The Report sets out the FPC's view of the U.K.'s financial stability, the resilience of the U.K.'s financial system and the risks posed to each of those. Where applicable, the Report also notes the steps that the FPC is taking to address the risks. The record of the meeting provides a summary of issues discussed by the FPC in June.
Financial Stability Board Issues Consultation on Developing a Cyber Lexicon
As part of its work on the protection of financial stability against the malicious use of information and communication technologies, the Financial Stability Board has published a draft cyber lexicon for consultation.
In March 2017, the FSB was asked by the G20 Finance Ministers to review and produce a stock-take report on the existing regulation, supervisory practices and guidance on cyber security in the financial sectors of G20 jurisdictions. The G20 welcomed the FSB's stock-take report in October 2017 and asked the FSB to continue its work and to develop a common lexicon of cyber terms.
The FSB stresses that the lexicon is not intended for use in the legal interpretation of any international arrangement or agreement or any private contract. The use of the cyber lexicon will not be mandatory. Its purpose is to support the work of the FSB, standard-setting bodies, national authorities and private sector participants to address, and develop guidance on, cyber security and cyber resilience in the financial sector. In particular, the aim of the cyber lexicon is to create a cross-sector common understanding of relevant cyber security and cyber resilience terminology and to facilitate assessment and monitoring of financial stability risks in cyber risk scenarios.
UK Prudential Regulator Sets out Expectations on Firms' Exposures to Crypto-Assets
The U.K. Prudential Regulation Authority has published a "Dear CEO" letter, addressed to the Chief Executive Officers of banks, insurance companies and designated investment firms. The purpose of the letter is to remind firms of their relevant obligations under the PRA rules and to communicate the PRA's expectations regarding firms' exposures to crypto-assets.
Crypto-assets have exhibited high price volatility and relative illiquidity and may also be vulnerable to fraud and manipulation, which raises concerns about potential misconduct and poses issues for market integrity. The PRA's letter does not define crypto-assets, but the Financial Conduct Authority uses this term to refer to any publicly available electronic medium of exchange that features a distributed ledger and a decentralized system for exchange. The FCA recently published a "Dear CEO" letter outlining best practice for firms in handling the financial crime risks that crypto-assets can pose.
European Supervisory Authorities Make Recommendations to Address Risks in EU Securities, Banking and Insurance Sectors
The Joint Committee of the European Supervisory Authorities has published a report on risks and vulnerabilities in the EU financial system. The ESAs are the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority. The ESAs make recommendations for policy actions by the ESAs, national regulators and financial institutions. A summary of the risks and recommendations contained in the report is set out below.
- To combat cyber risks, the ESAs recommend that financial institutions should continue to improve IT systems, explore risks in the context of information security and take steps to resolve risks surrounding connectivity and outsourcing to third-party providers. The ESAs will continue to keep these risks under review. ESMA is launching a supervisory project on cloud computing outsourcing and will continue work to address supervisory convergence. The EBA is developing guidelines on the management of information and communication technology risks. EIOPA is conducting a qualitative exercise on cyber risk with national regulators and the industry.
US Federal Financial Institutions Examination Council Issues Joint Statement Regarding Cyber Insurance
The U.S. Federal Financial Institutions Examination Council members released a joint statement with respect to cyber insurance and its role in risk management. FFIEC members include the U.S. Board of Governors of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency and the U.S. Federal Deposit Insurance Corporation. The statement and corresponding press release note that the frequency, sophistication and severity of cybersecurity incidents are increasing. As a result, general insurance policies may not provide adequate coverage in the event of a cybersecurity event and cyber insurance options are increasing and evolving in response to these factors. The statement highlights that cyber insurance options vary greatly, and can be in the form of either a standalone policy or an endorsement to an existing insurance policy. The statement cautions, however, that cyber insurance should be viewed as a risk mitigation tool and not as an alternative to sound internal controls, policies and procedures to guard against cybersecurity events. The statement notes that institutions, in considering cyber insurance, should assess their existing cybersecurity risk framework to determine the potential impact and magnitude of residual risk. In weighing cost and benefits of cyber insurance, the statement suggests that institutions should consider involving multiple stakeholders in the decision-making process, perform adequate due diligence to fully understand available policies and coverage options and incorporate cyber insurance into their annual budgeting processes.
View full text of the FFIEC statement.
European Central Bank Consults on Cyber Resilience Oversight Expectations for Eurozone Financial Market Infrastructures
The European Central Bank has launched a consultation on draft "cyber resilience oversight expectations" for financial market infrastructures.
The CROE use, as a basis, the Guidance on Cyber Resilience for Financial Market Infrastructures that was published jointly in June 2016 by the Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions. FMIs were required to implement immediately that Guidance, which was supplemental to the Principles for Financial Market Infrastructures published in 2012 by IOSCO and the Committee on Payment and Settlement Systems. The PFMIs were adopted by the Governing Council of the ECB in June 2013. In developing the CROE, the ECB also took into account existing international guidance documents, in particular the Cyber Security Framework published by the U.S. National Institute of Standards and Technology, the ISO/IEC 27002 good practice standard for information security, the COBIT 5 framework for the governance and management of enterprise IT, the Information Security Forum's Standard of Good Practice for Information Security and the U.S. Federal Financial Institutions Examination Council's Cybersecurity Assessment Tools.
UK Financial Conduct Authority Publishes its 2018/19 Business Plan
The Financial Conduct Authority has published its Business Plan for 2018/19 which sets out its key priorities for the coming year. The FCA confirms that it will continue to focus on issues relating to the U.K.'s withdrawal from the EU by working with the Government, ensuring appropriate transition measures for EEA firms, working towards operational readiness and cooperating at international level.
The FCA divides the remainder of its priorities into cross-sector priorities and sector priorities. There are seven cross-sector priorities: firms' culture and governance; financial crime and anti-money laundering; data security, resilience and outsourcing; innovation, big data, technology and competition; treatment of existing customers; long-term savings, pensions and intergenerational differences; and high-cost credit. There are seven sector priority areas: wholesale financial markets; investment management; retail lending; pensions and retirement income; retail investments; retail banking; and general insurance and protection. The FCA also published Sector Views for each of these sectors which provide an FCA view of how each sector was performing as of mid-2017.
Financial Stability Board Publishes Progress Update on its Work to Develop a Cyber Lexicon
The Financial Stability Board has published a Progress Update on its work on the creation of a common lexicon of terms to support the work of the FSB, standard-setting bodies, authorities and private sector participants to address cyber-security and cyber-resilience in the financial sector.
The FSB explains in the Progress Update that the cyber lexicon is not intended as a comprehensive lexicon of all cyber-security and cyber-resilience related terms. Its scope will be limited and focused on the core terms necessary to support the objective of the lexicon, which is to support the work of the above bodies, in particular by creating a cross-sector common understanding of relevant cyber security and cyber resilience terminology and by facilitating assessment and monitoring of financial stability risks in cyber-risk scenarios. It is expected that the lexicon will assist in the work of the FSB and standard-setting bodies to provide guidance related to cyber-security and cyber resilience.
European Supervisory Authorities Issue Final Report on Financial Institutions' Use of Big Data
The Joint Committee of the European Supervisory Authorities has published a final report on the use of Big Data by financial institutions. The Final Report has been prepared following feedback to a discussion paper published in December 2016 by the Joint Committee’s sub-Committee on Consumer Protection and Financial Innovation. “Big Data” is the term used to refer to situations where high volumes of different types of data, produced with high velocity from a wide variety of data sets and sources, is processed (often in real time) by IT tools, such as powerful processors, software and algorithms. Big Data tools have been in use for several years in some sectors, but less so in others. Nevertheless most respondents to the ESAs’ discussion paper agreed that Big Data may have an impact on almost all financial institutions and on their products and services. The use of Big Data techniques can help financial institutions to improve their understanding of customers’ preferences and their interactions with customers and clients. This can enable them to tailor products to their target markets and support effective product governance. However, the use of Big Data also entails risk.
US Federal Reserve Board Vice Chairman for Supervision Discusses Financial Regulation and Cybersecurity02/26/2018
Randal Quarles, U.S. Board of Governors of the Federal Reserve System Vice Chairman for Supervision, provided brief remarks at the Financial Services Roundtable 2018 Spring Conference. Vice Chairman Quarles noted the importance of reviewing the post-crisis regulatory regime to determine which regulations may not be functioning effectively or as intended, and make changes, as necessary. He noted the importance of evaluating the costs and benefits of regulatory initiatives as well as evaluating their effect on both the resiliency of the financial system and on credit availability and growth. He focused in particular on the topic of cybersecurity, which he remarked is a high priority for the Federal Reserve Board. Given the dynamic and highly sophisticated nature of cyber attacks, Vice Chairman Quarles emphasized the need for collaboration in this area, both among private sector stakeholders and between the private sector and federal financial regulators. He noted that the Federal Reserve Board is continuing to work with other financial regulatory agencies to harmonize cyber risk-management standards and supervisory expectations to align them with existing best practices such as the National Institution of Standards and Technology’s Cybersecurity Framework.
View full text of Vice Chairman Quarles's remarks.
New York State Department of Financial Services Reminds Institutions of Upcoming Deadline for Cybersecurity Certification
New York State Department of Financial Services Superintendent Maria Vullo issued a press release reminding regulated entities and licensed persons of the NYDFS’s upcoming February 15, 2018 compliance certification deadline under New York’s cybersecurity regulation that was implemented in March of 2017. New York’s cybersecurity regulation generally requires (i) that regulated entities establish, review and assess cybersecurity policies and procedures designed to protect consumer data, (ii) that regulated entities have a Chief Information Security Officer, and (iii) that the policies and procedures are approved by an entity’s board of directors or a senior officer. Covered entities and individuals will be required to submit the certification, which attests to compliance with New York’s cybersecurity regulation for 2017, through the NYDFS’s cybersecurity portal. The press release also provides a link to a series of frequently asked questions regarding the cybersecurity regulation generally, and the upcoming filing deadline, including which subparts of the regulation are applicable to this year’s certification, and those that will be applicable to the 2019 certification. Superintendent Vullo also announced that the cybersecurity evaluation will be incorporated into all NYDFS examinations of regulated entities.
View full text of the press release.
European Banking Authority Issues Guidelines for Assessing and Managing Security and Operational Risks in Payment Services
The European Banking Authority has published finalized guidelines to assist payment services providers to conduct appropriate risk assessment and risk management of operational and security risks. The finalized guidelines contain some changes from the draft guidelines on which the EBA launched a consultation in May 2017.
Financial Stability Board Meeting to Discuss Ongoing 2017-2018 Workplan
The Financial Stability Board has published a press release summarizing the outcome of its plenary meeting in Berlin on October 6, 2017, at which it considered potential vulnerabilities in the financial system and discussed a number of areas from its workplan.
G20 Leaders Outline Action Plan Following Hamburg Summit
The G20 Leaders met in Hamburg, Germany on July 7-8, 2017 and have published a Leaders' Declaration and an Action Plan setting out the G20's strategy for achieving strong, sustainable, balanced and inclusive growth. The Action Plan includes ongoing and planned work on financial sector regulation and development.
New York's Department of Financial Services Issues Updated Cybersecurity FAQs
New York’s Department of Financial Services issued FAQs on its new cybersecurity requirements. Among other things, the updated guidance confirms that a financial services firms that are regulated by the DFS, referred to as a “covered entity”, may adopt an affiliate’s cybersecurity program, in whole or in part, so long as the covered entity’s overall cybersecurity program meets the requirements under DFS regulations. In addition, to the extent that an entity relies on an affiliate’s cybersecurity procedures in whole or in part, those policies and procedures must be made available for examination by the DFS.
View the FAQs.
New York State Department of Financial Services Finalizes Cybersecurity Regulation
The New York State Department of Financial Services issued its final cybersecurity regulation for financial services companies. The final regulation, which takes effect March 1, 2017, requires banks, insurance companies, and other financial services institutions regulated by the NYSDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data based on an assessment of its risk profile. The NYSDFS initially proposed the regulation in September 2016 and then revised and re-proposed the regulation in December 2016. The final rule requires that the program be adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization. Additionally, the officer of each covered financial services companies must annually certify their compliance to the NYSDFS. The final rule contains several changes from the original proposal including clarification on the ability of a covered financial services company to rely on an affiliate’s cybersecurity program to satisfy the rule and expanded exemptions including for entities with limited activities in New York.
View the final rule.
Federal Banking Agencies Extend Comment Period for Advance Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards
The Federal Reserve, the OCC and the FDIC extended the comment period on an advance notice of proposed rulemaking on enhanced cyber risk management standards. The proposal, originally issued on October 26, 2016, addressed enhanced cyber risk management standards for large and interconnected entities under the supervision of the federal banking agencies. The proposal addressed five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. In its notice announcing the extension of the comment period, the federal banking agencies noted that the range and complexity of the issues addressed in the proposal resulted in the extension of the public comment period. All comments on the proposal are due on February 17, 2017.
View text of notice of extension of comment period.
York State Department of Financial Services Reproposes Cybersecurity Regulation
The New York State Department of Financial Services (NYSDFS) reproposed its first-in-the-nation cybersecurity regulation to protect New York State from the threat of cyber-attacks. The proposed regulation, which will be effective March 1, 2017, will require banks, insurance companies and other financial services institutions regulated by NYSDFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.
The NYSDFS considered comments submitted regarding the previously proposed regulation during a 45-day comment period, which ended on November 14, 2016, and has incorporated appropriate comments in the updated regulation that will be subject to an additional final 30-day notice and public comment period. The NYSDFS will focus its final review on any new comments that were not previously raised in the original comment process.
View reproposed regulation.
US Federal Reserve Board, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.
The US Federal Reserve Board, OCC and FDIC jointly released an advanced notice of proposed rulemaking seeking comments on enhanced cybersecurity risk-management and resilience standards. The new rule would apply to any depository institution or holding company with consolidated assets of at least $50 billion, foreign banking organizations with total US assets of at least $50 billion and financial infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board.
G7 Publishes Fundamental Elements of Cyber Security for the Financial Sector
The G7 Cyber Expert Group published a statement on the fundamental elements of cyber security in the financial sector. The high-level elements are intended to assist a financial sector entity to design and implement their cyber security strategy and operating framework as well as to guide public authorities in developing their policies. The elements include the establishment of a cybersecurity strategy and operating framework, governance, risk and control assessments, monitoring, timely and proportionate responses to a cyber incident, the recovery of operations and remediation following a cyber security event, sharing information and reviewing the strategy and framework regularly to address relevant changes. The elements are not legally binding.
View the elements of cyber security.
International Task Force to Review Cyber Security of Wholesale Payments
The Bank for International Settlements' Committee on Payments and Market Infrastructures announced that it had established a task force to review the security of wholesale payments that involve banks, financial market infrastructures and other financial institutions. The CPMI is tasked with setting global standards for payment, clearing and settlement services. The first phase will involve a review of current practices in the area, with future efforts to be determined based on the findings. The task force follows efforts by the CPMI on cyber security and operational risk, including publication of the Guidance on cyber resilience for financial market infrastructures, and the CPMI-IOSCO Principles for Financial Market Infrastructures.
View the press release.
View the Guidance on cyber resilience.
View the Principles for Financial Market Infrastructures.
NYS Financial Services Department Proposes Cybersecurity Regulations
The New York State Department of Financial Services proposed regulations requiring banks, insurance companies and other NYDFS-regulated institutions to promptly adopt a cybersecurity program and setting forth certain minimum standards with respect to such program. As part of the establishment of a cybersecurity program, each covered entity would be required to, among other things, adopt a written cybersecurity policy, designate a chief information security officer responsible for implementing, overseeing and enforcing its new program and policy and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties. Institutions would also be required to comply with additional requirements in order to protect the confidentiality, integrity and availability of information systems. The proposed regulations would also require senior management of covered entities to file an annual certification confirming compliance with the regulations, beginning in January 2018.
The NYDFS notes that while these regulatory minimum standards are warranted, it is not the intention that such standards be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. The proposed regulations are subject to a 45-day notice and public comment period before their final issuance.
View proposed regulations.
US National Institute of Standards and Technology Seeks Cybersecurity Information in Digital Economy
The US NIST issued a request for information regarding current and future cybersecurity initiatives in the digital economy in connection with its directive to support the Commission on Enhancing National Cybersecurity. The Commission will ultimately make recommendations on actions that can be taken to strengthen cybersecurity in both the public and private sectors. NIST is seeking information on current trends, progress being made, short-term initiatives and perceived long-term challenges in respect of several topics relating to cybersecurity as the Commission formulates recommendations intended to “increase the protection and resilience of the digital ecosystem.” Topics on which the Commission is soliciting information include: critical infrastructure cybersecurity, cybersecurity research and development, international markets and the internet of things. Comments were due on September 9, 2016.
View NIST Request for Comment.
New EU Directive on Security of Information Systems
A new Directive on cyber security was published in the Official Journal of the European Union. The Directive aims to achieve a common level of security of network and information systems within the EU. It requires all Member States to adopt a national strategy on the security of network and information systems and establishes security and notification requirements for operators of essential services and for digital service providers. The Cyber Security Directive applies to certain credit institutions, any operator of a trading venue and central counterparties.
US Office of Inspector General to Audit Federal Reserve Board's Oversight of Cybersecurity Threats
As part of its Work Plan for the fourth quarter, the Federal Reserve Board’s Office of Inspector General announced that it will audit the Federal Reserve Board’s oversight of cybersecurity threats to financial institutions. According to the OIG, the growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions. The OIG will focus its review on how the Federal Reserve System’s examination process has evolved and whether it is providing adequate oversight of financial institutions’ information security controls and cybersecurity threats.
View OIG Work Plan.
US Federal Financial Institutions Examination Council Issues Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks
The US Federal Financial Institutions Examination Council issued a statement to remind financial institutions to actively manage risks associated with interbank messaging and wholesale payments networks in light of recent terror attacks. The statement does not contain new regulatory expectations related to IT risk management, but rather, alerts financial institutions as to specific risk mitigation techniques to prevent such attacks. The statement encourages financial institutions to review their risk management practices and controls, including authentication, authorization, fraud detection, and response management systems and processes.
View the statement.
Chief Information Officer of US Federal Deposit Insurance Corporation Testifies before the US House of Representatives on Information Security
Chief Information Officer and Chief Privacy Officer of the US Federal Deposit Insurance Corporation, Lawrence Gross, testified before the Committee on Science, Space, and Technology of the U.S. House of Representatives’ Subcommittee on Oversight. He discussed the FDIC’s information security program and its ability to identify, analyze, report and remediate data security incidents. Gross noted that employees and contractors receive annual training to ensure they will report incidents when they have access to sensitive information. The FDIC also has a security incident response and escalation plan in place to ensure the systematic gathering and analysis of facts relevant to the incident, and an interdisciplinary team responsible for determining the appropriate course of action if there is an elevated risk of harm. After all facts have been gathered, the FDIC takes steps to mitigate the risk of harm and undertake appropriate reporting and notifications commensurate to the severity of the incident. Gross also detailed several remedial steps the FDIC is currently taking to further lower the risk of sensitive information being exposed.
Industry Associations Publish Principles on International Cyber Security, Data and Technology
Several industry associations jointly published a paper titled International Cybersecurity, Data and Technology Principles and urged the Financial Stability Board and the International Organization of Securities Commissions to take the Principles into account when developing policy and standards on cyber security, data and technology. The industry associations believe that cyber security for global financial institutions can only be addressed at an international level and are concerned that the rules of individual jurisdictions may lead to technology systems of global businesses becoming disintegrated, resulting in harm to competition, innovation and investors. The industry associations recommend that the Principles should be taken into account when any country creates laws, regulations, rules or standards on cyber security that could affect the framework of financial services firms that operate on a global basis. The industry associations are the European Banking Federation, the Global Financial Markets Association and the International Swaps and Derivatives Association.
View the Principles.
International Report on Cyber Security in Securities Markets
The International Organization of Securities Commissions published a report on cyber security in securities markets from an international perspective. The purpose of the report is to assist IOSCO members and market participants to enhance their cyber security in securities markets. The report outlines from an international perspective the various approaches adopted by market participants and the initiatives implemented by different regulators. The report focuses on the main regulatory challenges associated with cyber security issues across reporting issuers, trading venues, market intermediaries, asset managers and financial market infrastructures. The report states that regulators could cooperate to improve cyber security through the exchange of information on threats, security vulnerabilities and previous cyber-attacks that could ultimately be relevant for other regulated entities and market participants. Specifically, information on methods used by cyber criminals, exploited vulnerabilities they are aware of, ways of preventing similar attacks previously committed and emerging cyber risk trends. IOSCO concludes that the fluid nature of securities markets requires market participants and regulators to constantly evolve their responses to cyber security issues.
View the report.
Federal Reserve Bank of Boston President Offers Perspectives on Economic and Cyber Risks
While speaking at the Federal Reserve Bank of Boston’s 2016 Cybersecurity Conference, Boston Fed President Eric Rosengren addressed risks in the cyber realm, noting that such risks are not abating. In Rosengren’s view, banking organizations need to continue to evolve as these risks morph, and as new innovations and expectations of convenience introduce new challenges to security. Rosengren stated, “cyber risks make it imperative that we all work together to ensure that resiliency, monitoring, detection, and recovery capabilities are operational in the financial system.”
View Rosengren’s remarks.
US Deputy Treasury Secretary Sarah Bloom Raskin Provides Remarks on Cyber Security
US Deputy Treasury Secretary Sarah Bloom Raskin discussed the steps financial sector participants should take to respond and recover from a cyber attack. She noted that the key to an effective response and recovery involves preparation, coordination and practice, especially given that in a widespread cyber attack on the financial system, time would be of the essence. While the financial system has not yet experienced such an attack, Raskin warned that recent interconnected cyber attacks, including large-scale Distributed Denial of Service (DDoS) attacks, theft and misuse of customer data and destruction of systems and data, suggest that coordination is imperative in the face of such large-scale attacks. Moreover, Raskin discussed the government’s, and specifically, the US Treasury’s role in responding to, and helping the financial sector recover from, such an attack. Specifically, she mentioned the Treasury’s role in coordinating with federal and state financial and banking regulators, as well as other government agencies to effectively communicate information and to enhance incident response preparation, including response playbooks and cybersecurity table-top exercises. Raskin encouraged the private sector to create robust cyber incident playbooks which identify key players, actions and timelines to be employed in the event of a cyber attack.
View Deputy Treasury Secretary Raskin’s speech.
US Comptroller of the Currency Discusses Cross-Border Cooperation and De-Risking
US Comptroller of the Currency Thomas Curry discussed the importance of international cooperation and comprehensive cross-agency, cross-border approaches to cybersecurity and the fight to prevent money laundering. Comptroller Curry also addressed the issue of risk re-evaluation, commonly known as de-risking, which involves banks evaluating the BSA/AML risks posed by their customers and foreign correspondent banks. He noted that while these relationships may pose legitimate risks, there may be important reasons to preserve such relationships, a decision that the OCC does not dictate but leaves to the banks. Comptroller Curry noted that the OCC is in the process of gathering information through the supervisory process as to how banks conduct re-evaluation, including how they implement policies and procedures for evaluating customer risks, whether banks have policies on risk re-evaluation and how decisions to terminate such relationships are made and reviewed. He noted that the OCC may issue guidance upon completing this review.
US Federal Deposit Insurance Corporation Publishes Article Regarding Enhancing Banks' Cybersecurity Programs
The US Federal Deposit Insurance Corporation published “A Framework for Cybersecurity” as part of the agency’s Winter 2015 issue of “Supervisory Insights”. The article addresses the current state of cyber threats and how financial institutions’ information security programs can be modified to meet evolving cybersecurity risks. The publication also provides a summary of actions taken by the FDIC individually and with other regulators in response to the increase in cyber threats.
The latest issue of “Supervisory Insights” also includes articles on marketplace lending, recent lending conditions and risks as reported through the FDIC’s Credit and Consumer Products/Services Survey, and an overview of recently released FDIC regulations and supervisory guidance.
View the journal.
US Financial Crimes Enforcement Netwrok Director Speech on financial Intelligence Data and Cyber Threats
The Director of FinCEN, Jennifer Shasky Calvery, delivered a speech regarding FinCEN’s efforts to gather financial intelligence data and mitigate cyber threats. Director Calvery discussed methods by which FinCEN gathers data through its Bank Secrecy Act reporting stream and then uses such data to combat cyber threats. She also discussed FinCEN’s recent analytical enhancements and efforts to work alongside foreign Financial Intelligence Units in order to identify information that could be helpful in preventing cyber incidents. Finally, she stressed the importance of information sharing among law enforcement, the private sector, government and international counterparts to recognize and cope with threats to the financial system.
View the speech.
European Union Agency for Network and Information Security Reports on the Secure Use of Cloud Computing in the Finance Sector
The European Union Agency for Network and Information Security published a report on the secure use of cloud computing in the finance sector. ENISA makes recommendations to financial institutions, national regulators as well as cloud service providers that aim to facilitate the secure adoption of cloud services in the finance sector. According to ENISA, the following are key issues that are hampering the adoption of cloud services by financial institutions: (i) financial institutions and their national regulators are unconvinced about the security benefits of cloud computing even though security is considered very important by CSPs and risk assessments have been carried out by various expert bodies, including ENISA; (ii) lack of detailed guidance on the relevance of national regulations for cloud computing; and (iii) guidance from national regulators on meeting regulatory requirements when adopting cloud computing needs to be further developed. ENISA makes several recommendations, including: (i) national regulators, financial institutions and CSPs should develop effective communication and collaboration to assist the cloud market to evolve quicker; (ii) financial institutions should develop a cloud computing strategy, adopting a risk-based approach to moving to the cloud; (iii) CSPs should work to increase the level of transparency about cloud offerings for financial institutions and their regulators; and (iv) the European Commission, European Agencies and industry bodies should work together to improve the understanding of cloud computing.
View the report.
Committee on Payments and Market Infrastructures and International Organization of Securities Commissions Consultation on Cyber Resilience
The Committee on Payments and Market Infrastructures and the Board of the International Organization of Securities Commissions published a consultation paper related to guidance on cyber resilience for Financial Market Infrastructures. The guidance aims to encourage FMIs to pre-empt and respond rapidly to cyber-attacks and deals with five primary risk management categories that are significant for the cyber resilience of FMIs: (i) governance; (ii) identification; (iii) protection; (iv) detection; and (v) response and recovery. The guidance states that continuous improvements to systems must be made to maximize cyber resilience, that it is imperative for FMIs to resume operations rapidly and safely after a successful cyber-attack and that senior management attention is critical to cyber resilience strategy. Comments on the consultation are due by February 23, 2016.
View the consultation.
Remarks by US Deputy Secretary of the Treasury Sarah Bloom Raskin at The Clearing House Annual Conference
US Deputy Secretary of the Treasury, Sarah Bloom Raskin, delivered a speech at The Clearing House annual conference discussing cybersecurity and resiliency in the financial services sector. Raskin emphasized the need for greater cooperation among financial sectors and governments globally in order to mitigate cybersecurity threats. She also stressed the importance of financial institutions embedding cybersecurity into their risk management and control procedures, practicing basic “cyber hygiene” by bolstering the resiliency of computer systems and preparing a recovery playbook for significant cyber incidents.
View the speech.
Expansion of the US Board of Governors of the Federal Reserve System's Emergency Communications System
The Federal Reserve Board issued SR Letter 15-10/CA 15-8 to announce the expansion of its Emergency Communications System – a service that maintains a database of emergency contacts to allow the Federal Reserve System staff to communicate with financial institutions in case of a natural disaster or operational emergency. The expansion will require supervised institutions to identify and register "designated cyber emergency contact(s)" that Federal Reserve staff may contact in the case of cyber emergencies. The Federal Reserve will periodically test the system to verify the contact’s business telephone number and e-mail address and the confirmation of delivery of test messages.
View the Federal Reserve Board press release.
View the SR Letter 15-10/CA 15-8.
US Office of the Comptroller of the Currency Highlights National Cybersecurity Awareness Month
The Comptroller of the Currency, Thomas J. Curry, issued a statement recognizing October as National Cybersecurity Awareness Month, as designated by President Obama. Mr. Curry stated that the goal of the month is to “raise awareness of threats to the data systems that have become part of our everyday lives and to encourage each of us to take steps to safeguard those systems.” Mr. Curry’s statement noted the increasing prevalence of cybersecurity breaches and encouraged banks/thrifts and supervisory agencies to work together to prevent breaches and to ensure that institutions have a plan in place to effectively detect, assess, and respond to cyber-attacks.
View the press release.
US Securities and Exchange Commission Charges Investment Advisor with Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach
The US Securities and Exchange Commission announced that R.T. Jones Capital Equities Management, an investment adviser, agreed to settle charges regarding its failure to follow guidelines for cybersecurity policies and procedures, which resulted in a breach which compromised the personally identifiable information of approximately 100,000 individuals. Federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. The SEC investigation found that R.T. Jones Capital Equities Management violated this "safeguards rule" for approximately four years before the breach by failing to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information. The SEC's order found that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. In the settlement, R.T. Jones agreed to cease and desist from future violations of Rule 30(a) as well as pay a $75,000 penalty.
View the SEC press release.
US Deputy Comptroller Discusses Cybersecurity
The US Office of the Comptroller of the Currency Deputy Comptroller for Compliance Operations and Policy, Grovetta Gardineer, discussed the cybersecurity assessment tool issued by the Federal Financial Institutions Examination Council in June 2015. According to Gardineer, the tool provides a common framework for assessment across institutions and represents a step forward in terms of supervision of banks and thrifts in cybersecurity. While the use of the cybersecurity tool is optional for financial institutions, it will be used by OCC examiners to supplement their exam work and to obtain a stronger and more complete understanding of the cybersecurity risks faced by financial institutions.
View press release.
View the speech.
Bank of England Publishes Financial Stability Report Identifying Main Current Risks in UK Financial System
The Bank of England published its Financial Stability Report which identifies the main current risks in the UK financial system. The report sets out recommendations made by the Financial Policy Committee on Additional Tier 1 capital for the purposes of the minimum leverage ratio requirement. The report recommends to the Prudential Regulation Authority that AT1 capital should be counted towards Tier 1 capital only if the relevant capital instrument specifies a trigger event that occurs when the Common Equity Tier 1 capital ratio of the institution falls below 7%. The report also directs the BoE, PRA and Financial Conduct Authority to work with firms to complete cyber‑attack resilience assessments (also known as CBEST tests), adopt cyber‑resilience action plans and establish arrangements for CBEST tests to become regular cyber resilience assessments within the UK financial system. The report also refers to recommendations on the new UK leverage ratio framework which are discussed in further detail below.
View the report.
US Federal Financial Institutions Examination Council Develops Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors
The Federal Financial Institutions Examination Council – an interagency body composed of the US Board of Governors of the Federal Reserve System, the FDIC, the US National Credit Union Administration, the US Office of the Comptroller of the Currency, and the US Consumer Financial Protection Bureau – announced its release of a Cybersecurity Assessment Tool. The tool, together with other resources made available by the FFIEC to financial institutions, is available for all financial institutions regardless of asset size and is intended to aid senior management and boards of directors of financial institutions to assess cybersecurity risk and preparedness.
UK Government Reports on Cyber Risk Insurance
The UK Government published a report on managing and mitigating cyber security risks with cyber insurance. The report details how insurers and insurance can play a role in reducing cyber security risks. The report notes that there is a lack of awareness that insurance is available for cyber risk and recommends that firms review their cyber risk management to include a board-level assessment for cyber risk, and draw up recovery plans and use stress testing to confirm financial resilience against cyber threats. The report also gives details of its new industry supported scheme, Cyber Essentials, which was developed as part of the UK’s National Cyber Security Program and guides businesses in protecting themselves against cyber threats.
View the report