Thursday, December 5, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Federal Regulators Unveil Proposed Cybersecurity Standards for Large Financial Firms

by Corporate Compliance Insights
November 23, 2016
in Cybersecurity, News
Federal Regulators Unveil Proposed Cybersecurity Standards for Large Financial Firms

This piece was prepared by Bracewell attorneys Glen A. Kopp and Chelsea L. O’Donnell.

November 18, 2016 – On October 19, 2016, federal regulators issued an Advance Notice of Proposed Rulemaking titled “Enhanced Cyber Risk Management Standards.”1 The draft standards, jointly released by the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, seek to enhance existing cybersecurity standards for large financial institutions and, in particular, supplement existing obligations for financial firms that are the most critical to the U.S. financial system.  The plan is open for public comment until January 17, 2017.

Financial institutions with $50 billion or more in assets would be considered “covered entities” and subject to the proposed standards. The proposed standards include a two-tiered framework in which all covered entities would have to meet a minimum standard, and “those entities that are critical to the functioning of the financial sector,” referred to as “sector-critical systems,” would have to meet “more stringent standards.”

Minimum Standards Applicable to All Covered Entities

The proposed standards fall within five different categories: (1) cyber risk governance, (2) cyber risk management, (3) internal dependency management, (4) external dependency management and (5) incident response, cyber resilience and situational awareness.  The Proposed Standards require covered entities to develop written, board-approved cybersecurity plans that delineate procedures on independent auditing and how issues are reported to the company’s chief risk officer. Under the proposed standards, covered entities also must identify and address internal and external cyber risks and adopt plans to ensure continued operation of core business functions during a cyber incident.

Sector-Critical Standards

Entities that have certain systems that would profoundly affect the security and operation of the U.S. financial system are considered “sector-critical.” The proposed standards list several types of “sector-critical” systems:

  • “systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities and corporate debt and equity securities”
  • “systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in other markets (for example, exchange-traded and over the-counter derivatives)”
  • systems “that support the maintenance of a significant share (for example, five percent) of the total U.S. deposits or balances due from other depository institutions in the United States”
  • “systems that provide key functionality to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (for example, due to incompatibility)”
  • “systems that act as key nodes to the financial sector due to their extensive interconnectedness to other financial entities.”

Sector-critical systems would be required to adopt the “most effective, commercially available controls.” In addition, sector-critical entities must have the capacity to “recover from a disruptive, corruptive or destructive cyber event” within two hours, and periodically verify their capacity through quantitative testing.

___________________________________________________

1 The notice of proposed rulemaking is available here.


Previous Post

U.S. Election Raises Questions about CFIUS's Role in Foreign Investments

Next Post

The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region

Corporate Compliance Insights

Related Posts

black and white image of businessman paying bribe

Former CEO of Brazilian Petrochemical Company Charged for FCPA Violation

November 20, 2019
blue polygonal whistle on dark background

Anticipating the Next New Variety of Cybersecurity Litigation

November 12, 2019
laptop screen featuring Office 365 migration in progress

Moving Communications to the Cloud? Consider Compliance Before Migrating

November 5, 2019
man using risk management software on tablet

NAVEX Global Announces Upgrade to Lockpath Risk Management Platform

October 28, 2019
Next Post
FCPA in Latin America

The FCPA in Latin America: Common Corruption Risks and Effective Compliance Strategies for the Region

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • Lester Burroughs December 5, 2019
    SEC Charges Connecticut Man with Defrauding Retail Investors
  • SBB Research Group LLC, et al. December 4, 2019
    SEC Charges Hedge Fund Adviser and Top Executives with Fraud
  • NIT Enterprises, Inc., et al. November 29, 2019
    SEC Halts Penny Stock Scheme Targeting Seniors

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights