Cybersecurity remains a top concern for banks and regulators, as data breaches pose substantial regulatory risk and high costs. As I have written in recent posts, banks must develop comprehensive cybersecurity policies to protect against data breaches and avoid adverse action from the regulators. Recent guidance and statements from the regulators provide additional insight into best practices in data security.
1. Bank regulators issue proposed new cybersecurity standards.
Earlier this month, the OCC, FDIC, and Federal Reserve Board issued proposed new rules to enhance the regulators’ cybersecurity governance. Although the regulations only apply to the largest institutions (over $50 billion in assets), community banks should pay attention to the proposed rules as guidance in terms of what the regulators expect in the data security context.
The new rules propose enhanced standards in five areas:
- Cyber risk governance. This includes the development of written cybersecurity policies with oversight from the board of directors or a board committee. The regulation also proposes placing cybersecurity oversight with a senior leader who is independent from business line management.
- Cyber risk management. This includes consideration of each separate business unit and integration of cyber risk into banks’ existing risk management plan at the enterprise level. Banks also would be required to include cyber risk assessment in their audit plans.
- Internal dependency management. This would require banks to ensure that they have the capabilities in place to manage cyber risks with all of their business assets (their workforce, data, technology, and facilities).
- External dependency management. This includes oversight of outside vendors and other external third parties.
- Incident response, cyber resilience, and situational awareness. This addresses banks’ responses to data breaches, including the ability to operate critical functions in the face of cyber attacks and incident response plans when attacks occur.
2. New York issues proposed cybersecurity rules for banks.
Federal regulators are not the only ones to weigh in recently on data security—last month, the state of New York issued its own proposed cybersecurity regulations for banks. New York’s proposed regulations are broader than the proposed federal regulations, applying to any entity that operates under a bank charter or license (although there is an exemption for very small banks with less than $5 million in revenue or $10 million in assets). The New York regulations would require banks to establish minimum cybersecurity standards, including a written cybersecurity policy and incident response plan. Banks also would be required to designate a Chief Information Officer to oversee these written policies. The proposed regulations also mandate annual data security testing and cybersecurity training for all employees. In addition, the regulation would require a bank to report any data breach to regulators within 72 hours of the breach.
Lastly, one of the critical areas of emphasis in the proposed regulation involves supervision of bank vendors. As I have written about recently, it is best practice for banks to have clear policies for managing vendors that have access to customer information. Beyond best practice, New York’s proposed regulation would make direct vendor supervision and oversight the law.
3. CFPB urges banks to read enforcement actions and consumer complaints.
Although not directly aimed at data security, recent comments by CFPB Director Richard Cordray are important for bank compliance officers and may be particularly relevant to cybersecurity issues since that is an area of priority for the CFPB. In his October 25 speech to the Mortgage Bankers Association, Director Cordray urged bankers to review not only complaints against their own institution, but also against others in the same market to “address current problems and prevent issues from arising in the future.” According to the CFPB, “this work is an important part of sound compliance management.” This comment suggests that a compliance officer has a duty to stay up to date not only on laws and regulations, but also on the latest complaints and enforcement actions by the CFPB.