The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation’s interagency paper, “Sound Practices to Strengthen Operational Resilience,” describes standards for operational resilience set forth in the aforementioned agencies’ existing rules. The paper also provides cybersecurity guidance for domestic banking organizations.
The guidance applies to banking organizations that have average total consolidated assets greater than or equal to:
- $250 billion, or
- $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off balance sheet exposure.
Although this interagency paper is directed to the largest and most complex domestic banking organizations, small community banks can utilize this guidance to assess operational resilience, which is important for all banking organizations irrespective of their asset size.
The guidance comes at a time of unprecedented disruption which include technology-based failures, cyber incidents, pandemics, and natural disasters.
These disruptions, combined with growing reliance on third-party service providers, expose banks to operation risk.
Banks can use the guidance in this interagency paper to strengthen and maintain operational resilience with a comprehensive approach.
Top Takeaways for Banks
- Closely evaluate the sound practices guidance and ensure adequate internal and external resources are in place to adopt these recommended sound practices from a cybersecurity perspective.
- Consider engaging outside experts to conduct an information security risk gap assessment and take aggressive measures to close existing gaps in advance of an information security incident.
- Review incident response and business continuity plans to account for this guidance and ensure sound practices are incorporated into existing plans.
- Conduct a comprehensive review of all third-party vendor engagements to ensure sufficient provisions are contained in the agreements to account for privacy and data security risks. To the extent those provisions do not exist, banks should secure amendments to the agreements to cover these risks as soon as possible.
Appendix A: Sound Practices for Cyber Risk Management
To manage cyber risk and assess cybersecurity preparedness of its critical operations, core business lines and other operations, services, and functions, banks may choose to use standardized tools that are aligned with common industry standards and best practices.
Some tools banks can choose from include the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security Critical Security Controls, and the Financial Services Sector Coordinating Council Cybersecurity Profile.
While the agencies do not endorse the use of any particular tool, here is a summary of the recommended sound practices for cyber risk management in their respective categories, aligned to NIST and augmented to emphasize governance and third-party risk management.
Recommended Sound Practices to Cyber Risk Management
- The bank’s risk appetite and tolerance for disruption reflect the scope and level of cyber risk the bank is willing to accept or avoid for its critical operations and core business lines.
- The bank has established cybersecurity processes to support operating within its risk appetite and tolerance for disruption.
- The bank has a cybersecurity program that implements, monitors, and updates existing processes. The cybersecurity program is continually monitored and improved.
- The bank identifies and manages data, personnel, devices, systems, third parties, and facilities that enable its critical operations and core business lines.
- The bank understands the cybersecurity risks to its critical operations and core business lines, and their underlying data, personnel, devices, systems, third parties, and facilities associated with them.
- The bank limits access to physical and logical assets and related facilities for its critical operations and core business lines to authorized users, processes, and devices, and manages access consistent with the assessed risk of unauthorized access to activities and transactions that require authorization.
- The bank manages information and data consistent with its risk appetite and tolerance for disruption to protect the confidentiality, integrity, and availability of data and systems.
- The bank maintains security processes that address purpose, scope, roles, responsibilities management commitment, and coordination among organizational entities; and processes and uses them to manage protection of information systems and assets.
- The bank upgrades or replaces information system components before technical support is no longer available from the developer, vendor, or manufacturer.
- The bank coordinates response activities with internal and external stakeholders, as appropriate, including external support from regulatory and law enforcement agencies.
- The bank performs activities to prevent expansion of a disruption, mitigate its effects, and resolve the incident.
- The bank improves response activities by incorporating lessons learned from current and previous detection/response activities.
- The bank executes and maintains business continuity and disaster recovery plans, processes, and procedures to support timely restoration of systems or assets affected by cybersecurity incidents.
- The bank improves recovery plans and processes by incorporating lessons learned into future activities.
- The bank coordinates restoration activities with internal and external parties such as internet service providers, owners of compromised systems, other incident response teams, and vendors.
Third-Party Risk Management
- The bank engages in robust planning and due diligence to identify risks related to third parties and establishes processes to measure, monitor, and control the risks associated with them. The process for risk identification and monitoring controls effectiveness may include testing or auditing security controls with the third party.
- Contracts between the bank and third parties are drafted to define clearly which party is responsible for configuring and managing system access rights, configuration capabilities, and deployment of services and information assets.
- The bank has processes for validating that third-party systems used for delivering critical operations and core business lines will be operational during disruptions or able to return to operation in accordance with the bank's tolerance for disruption.
Adams and Reese’s Privacy, Cybersecurity and Data Management team will continue to monitor developments in this arena.