Enhanced cyber risk management standards
The three federal banking regulatory agencies released on Oct. 19, 2016 a series of proposed enhancements to cyber risk management standards that could result in new policy guidance or new stringent regulation. They are currently inviting comments before issuing a more detailed proposal for consideration.
"The Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Board. The proposed enhanced standards would not apply to community banks."
The enhanced standards would be integrated into the existing supervisory framework (FFIEC URSITrating & related IT Handbook; GLBA) and consider elements from assessment tools (FFIEC CAT), cyber risk management frameworks (NIST CSF) as well as guidance provided by other organizations (CMPI-IOSCO, Interagency paper by Federal Reserve, OCC, SEC).
The list of enhanced cyber risk management standards includes the requirement for regulated entities to:
- Develop a written, board-approved cyber risk management strategy, inclusive of a supporting framework
- Assess the overall exposure to cyber risk
- Have the board approve cyber risk appetite and tolerances
- Reduce their residual cyber risk to the board-approved level
- Quantitatively measure the completeness, effectiveness and timeliness of residual risk reduction
- Identify the risk associate with internal and external dependencies
- Establish incident response and cyber resilience capabilities to quickly recover from cyber events
For systems that provide key functionality to the financial sector, a more stringent set of standards are being considered. These would include the requirement for covered entities to:
- Minimize the residual risk by implementing the most effective controls
- Recover from cyber events within 2 hours (sector-critical systems only)
- Quantitatively measure their ability to reduce the aggregate risk to a minimum level
A notable development is that the agencies are also seeking to develop a consistent, repeatable methodology to support the ongoing quantification of cyber risk within covered entities. The agencies are familiar with the FAIR standard quantification risk model and with Carnegie Mellon's Goal-Question-Indicator-Metric process and are considering building upon these methodologies.
FAIR Institute's Take
The agencies' proposals very much align with the FAIR Institute's recommendation for organizations to move to a quantifiable risk-based approach to cybersecurity that enables business-aligned and cost-effective decision making. The FAIR standard already provides a practical foundation for quantifying cyber risk for many organizations, within the financial services sector and beyond. Their experience is showing that you can't effectively meet most of the requirements listed above without a formal risk quantification model that allows you to assess and communicate about cyber risk in financial terms.
Addressing risk in economic terms using a risk model like FAIR allows:
- Risk managers to assess cyber risk in financial terms that board of directors and management can understand
- Boards to define acceptable and measurable levels of risk
- Business executives to conduct cost-benefit analyses and calculate the ROI of cybersecurity
- Cybersecurity professionals to evaluate the comparative efficacy of alternative controls
- Organizations overall to meet many of the proposed new standards
Share Your Experiences and Comments
We encourage the FAIR Institute members to respond to the agencies' invitation to comment on their proposed cyber risk management standards enhancements.
Comments are due January 17, 2017. You can access the full documents and instructions on how to comment here.