The new standards guidelines released a few weeks ago by the OCC… the Federal Reserve, and the F.D.I.C. entitled
“Enhanced Cyber Risk Management Standards” are an interesting read—and one that we should study now in order to gain insight into how the next few years of cybersecurity rule-making and regulation could pan out. Regardless of who wins the U.S. Presidential election and who ultimately controls Congress, these rules appear to be moving in a direction that will dictate spending patterns, staffing plans, technology adoption, and more as we work to strengthen our national cyber security stance in a way that protects both our government and our economy.
These four specific areas are the ones to keep an eye on in the coming months:
A Tiered Approach: The regulators explicitly point out that they are open to considering an approach that would apply these new rules in a gradual manner. By doing so, they are demonstrating that they recognize a few realities that we know to be true. First, they understand that cybersecurity skills are in high demand and, therefore, executing a detailed plan to respond to these rules requires time to hire and train staff. Second, many new cybersecurity products and services that could potentially address emerging issues are coming onto the market at a rapid clip and time will be required to evaluate these offerings. Providing this flexibility will, in the end, result in better compliance as a result of more realistic timelines for most financial services organizations and corporates impacted by these rules.
Interconnectedness: The enhanced guidelines specifically target “the largest and most interconnected entities”— and that is important. While for many years there was a great deal of emphasis placed on third-party service providers, this emphasis on interconnectedness is refreshing to see. We only have to look at the impact from last week’s massive DDoS attack on Dyn to see a scenario that justifies focusing on those organizations whose interconnected relationships could pose the most problems were a cyber incident to occur.
Beyond the Voluntary: The FFIEC’s 2015 “Cybersecurity Assessment Tool” was voluntary and “does not establish binding minimum standards.” Those days of volunteerism appear to be ending soon. Making things mandatory will increasingly become the norm when it comes to cybersecurity standards adoption.
International Reconciliation: Reconciliation and harmonization across jurisdictions has always been tough for American financial services organizations when comparing state and federal examiners’ priorities and rules. On the international stage, the situation is even more complex. Moreover, most of the entities likely to be impacted by this rule (those with $50 billion in assets and above) have a toehold in at least a few countries and therefore probably struggle with international differences. Recognizing this by trying to mimic or even build upon the effort that was recently launched between the Committee on Payments and Market Infrastructures (CPMI) and the Board of the International Organization of Securities Commissions (IOSCO), is therefore significant.
So where are we now? If past experience is any indication, we are bound to see a flood of comments from cybersecurity vendors, consultants, and of course from within the financial services sector itself, to these guidelines. From my standpoint, the more feedback, the better. As attacks become more frequent and the creativity and cunning of the attackers only increases, harnessing the most insight will yield the best defense.
Beyond this initial development stage for these guidelines, it is somewhat comforting to see that regulators are being so overtly transparent in their desire to find the appropriate balance between burdening their regulated entities and protecting the U.S. financial system. Even in this divisive election year, proactively protecting our people and our assets is something we can all agree is vital to the strength of our economy and our nation’s safety.