Thursday, January 28, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Federal Regulators Unveil Proposed Cybersecurity Standards for Large Financial Firms

by Corporate Compliance Insights
November 23, 2016
in Cybersecurity, GRC Vendor News
Federal Regulators Unveil Proposed Cybersecurity Standards for Large Financial Firms

This piece was prepared by Bracewell attorneys Glen A. Kopp and Chelsea L. O’Donnell.

November 18, 2016 – On October 19, 2016, federal regulators issued an Advance Notice of Proposed Rulemaking titled “Enhanced Cyber Risk Management Standards.”1 The draft standards, jointly released by the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, seek to enhance existing cybersecurity standards for large financial institutions and, in particular, supplement existing obligations for financial firms that are the most critical to the U.S. financial system.  The plan is open for public comment until January 17, 2017.

Financial institutions with $50 billion or more in assets would be considered “covered entities” and subject to the proposed standards. The proposed standards include a two-tiered framework in which all covered entities would have to meet a minimum standard, and “those entities that are critical to the functioning of the financial sector,” referred to as “sector-critical systems,” would have to meet “more stringent standards.”

Minimum Standards Applicable to All Covered Entities

The proposed standards fall within five different categories: (1) cyber risk governance, (2) cyber risk management, (3) internal dependency management, (4) external dependency management and (5) incident response, cyber resilience and situational awareness.  The Proposed Standards require covered entities to develop written, board-approved cybersecurity plans that delineate procedures on independent auditing and how issues are reported to the company’s chief risk officer. Under the proposed standards, covered entities also must identify and address internal and external cyber risks and adopt plans to ensure continued operation of core business functions during a cyber incident.

Sector-Critical Standards

Entities that have certain systems that would profoundly affect the security and operation of the U.S. financial system are considered “sector-critical.” The proposed standards list several types of “sector-critical” systems:

  • “systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities and corporate debt and equity securities”
  • “systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in other markets (for example, exchange-traded and over the-counter derivatives)”
  • systems “that support the maintenance of a significant share (for example, five percent) of the total U.S. deposits or balances due from other depository institutions in the United States”
  • “systems that provide key functionality to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (for example, due to incompatibility)”
  • “systems that act as key nodes to the financial sector due to their extensive interconnectedness to other financial entities.”

Sector-critical systems would be required to adopt the “most effective, commercially available controls.” In addition, sector-critical entities must have the capacity to “recover from a disruptive, corruptive or destructive cyber event” within two hours, and periodically verify their capacity through quantitative testing.

___________________________________________________

1 The notice of proposed rulemaking is available here.


Previous Post

U.S. Election Raises Questions about CFIUS’s Role in Foreign Investments

Next Post

The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region

Corporate Compliance Insights

Related Posts

digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
abstract handshake on grey background

Kroll Launches Data Privacy and Digital Trust Solutions Ahead of Data Privacy Day

January 21, 2021
red stick figure standing outside circle of blue stick figures

ICA Survey: 4 in 10 Compliance Professionals Experience Discrimination in the Workplace

January 21, 2021
business team interrogate corrupt businessman, money falls from his pockets

QuantaVerse Launches New Financial Crime Investigation Report

January 20, 2021
Next Post
FCPA in Latin America

The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights