Evolving Cybersecurity Standards for Financial Institutions: What You Need to Know
In an era where cyber threats are increasingly sophisticated and pervasive, the standards governing how financial institutions (FIs) manage cybersecurity risks are tightening. The Federal Deposit Insurance Corporation (FDIC) is poised to implement a new rule that lowers the asset threshold for covered institutions, thereby expanding the scope of regulatory oversight. Jessica Caballero, director of cyber risk management at Defensestorm, provides insights into the implications of this proposed rule and what institutions of all sizes should consider in their cyber risk management strategies.
The FDIC’s Proposed Rule: A Shift in Standards
The FDIC is currently deliberating a proposed rule that aims to enhance governance and risk management standards for large banks, specifically those with assets exceeding $10 billion. This rule mandates that these institutions assess their risk governance frameworks, including cybersecurity risk management policies, controls, and the robustness of their data and systems infrastructure. The proposed rule is notable not only for its stringent requirements but also for its significantly lower asset threshold compared to similar regulations from the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, which apply to banks with total assets over $50 billion.
The proposed rule has sparked debate within the industry, with some Senate Republicans advocating for its withdrawal. The public comment period for the rule closed in February 2024, leaving its future uncertain. Regardless of the outcome, the implications of the proposed rule warrant careful consideration, particularly concerning its cybersecurity components.
Best Practices for Cyber Risk Management
Even if the FDIC’s proposed rule does not become final, it sets a precedent for best practices in cyber risk management that institutions of all sizes should adopt. Enhanced governance structures and effective risk management principles are essential for maturing cyber risk management programs. Smaller banks and credit unions, while not directly covered by the proposed rule, can benefit from its guidelines as they develop their own cybersecurity strategies.
The Need for Cyber Expertise at the Board Level
One of the critical aspects of the FDIC’s proposed rule is the emphasis on board composition and the necessity for members to possess cybersecurity expertise. This aligns with the New York Department of Financial Services (NYDFS) 500 2023 amendment, which mandates that governing bodies have a sufficient understanding of cybersecurity matters to exercise effective oversight. Institutions lacking this expertise may need to engage external advisors to fill knowledge gaps.
To bolster their governance capabilities, banks and credit unions should consider diversifying their boards to include members with technology and cybersecurity backgrounds. For smaller institutions, this could involve more frequent board training sessions and the establishment of specialized committees focused on cybersecurity oversight.
Implementing the Three Lines of Defense Model
The FDIC’s proposed rule requires covered banks to adopt the three lines of defense model, a framework that delineates roles and responsibilities in risk management. Many community banks and credit unions have yet to formalize this model, but its adoption is becoming increasingly essential as regulatory scrutiny intensifies.
The three lines of defense model consists of:
- Front-line Units (FLU): These are the business units responsible for managing risks directly.
- Independent Risk Management (IRM): This unit operates under the chief risk officer (CRO) and is tasked with overseeing risk management practices.
- Internal Audit (IA): Led by a chief audit officer (CAO), this unit has unrestricted access to the board and is responsible for evaluating the effectiveness of the risk management program.
Institutions must carefully consider how to implement this model, particularly in the context of cyber risk management. For example, the Chief Information Security Officer (CISO) may serve as a business line leader or as part of the independent risk management team, depending on the institution’s structure and talent pool.
Data Aggregation and Reporting
Another significant aspect of the FDIC’s proposed rule is the requirement for robust data aggregation and reporting processes as part of the risk management program. Institutions must develop policies and procedures that ensure accurate and timely reporting of material risks, including cyber threats.
This requirement places additional pressure on information technology professionals, who will be responsible for maintaining the integrity and availability of risk data. Institutions should prioritize the development of data architecture and IT infrastructure that supports effective risk management, regardless of whether they fall under the proposed rule’s scope.
Strengthening Internal Audit Functions
For institutions subject to the FDIC’s heightened standards, maturing the internal audit function is crucial for ensuring the effectiveness of risk management programs. This maturation process involves maintaining comprehensive risk registers and conducting regular risk assessments across all business lines.
Audit plans should be driven by assessed risks, and the internal audit function must evaluate the adequacy and compliance of the first and second lines of defense. Institutions of all sizes can benefit from reviewing their audit scopes to ensure alignment with best practices in risk management.
Conclusion: Preparing for the Future of Cyber Risk Management
As the regulatory landscape for cybersecurity continues to evolve, financial institutions must proactively adapt their governance and risk management practices. The FDIC’s proposed rule serves as a critical reminder of the importance of robust cyber risk management frameworks, particularly in an environment where cyber threats are ever-present.
By enhancing board expertise, implementing the three lines of defense model, prioritizing data aggregation and reporting, and maturing internal audit functions, institutions can position themselves to navigate the complexities of cyber risk management effectively. Whether or not the proposed rule is finalized, its principles can guide institutions of all sizes in developing resilient cybersecurity strategies that protect their assets and maintain the trust of their customers.