Federal Regulators Increasing Focus On Cybersecurity

Cybersecurity has been the focus of a recent surge in regulatory attention. While new binding regulations have yet to be released, federal entities, such as the FFIEC, the Treasury Department and even Homeland Security have all been involved in efforts to urge the financial services industry to take cybersecurity seriously. Federal regulators have taken steps to aid entities in the sector to self-monitor cybersecurity preparedness and are active in seeking input on how cybersecurity regulations should look. Most recently, the FFIEC released clarifying materials on their new Cybersecurity Assessment Tool; financial regulators met with CEOs in the financial services sector to discuss cybersecurity; and the Department of Treasury issued an advisory to financial institutions on cyber-threats.

FFIEC Releases FAQ on the Cybersecurity Assessment Tool

The FFIEC released clarifying points and supporting material in the form of an FAQ for their 2015 FFIEC Cybersecurity Assessment Tool (“CAT”). The FAQ covers topics such as whether use of the tool is mandatory, how the tool works, how other institutions are using it and why the FFIEC thought it should be released. In addition to answering questions related to the CAT, the FAQ also clarifies key terms that industry users found confusing or misleading. Use of the CAT is not mandatory, but the FFIEC does recommend some kind of risk assessment process to identify weaknesses in an institution’s cybersecurity. The CAT was developed by the Council to help institutions identify risks and determine their cybersecurity maturity. It consists of two parts: an Inherent Risk Profile, which identifies the institutions’ inherent vulnerability before any counter-measures are put in place, and Cybersecurity Maturity, which categorizes and defines what safeguards are being utilized.

Included in the FAQ, the FFIEC discusses how the tool was developed by consulting the FFIEC Information Technology Examination Handbook, the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and industry-accepted cybersecurity practices. The NIST Framework is included in the Appendix to the CAT. The NIST was involved in reviewing the CAT to ensure consistency with the principles of the framework.

The entire FAQ release may be found here: https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT%20FAQs.pdf.

Administration’s Meeting with Financial Regulators and CEOs on Cybersecurity in Financial Services Sector

In October, Treasury Secretary, Jacob J. Lew, and Assistant to the President for Homeland Security and Counterterrorism, Lisa Monaco, co-hosted a meeting with financial services executives, financial regulators and administration officials to discuss cybersecurity and the financial stability implications of a significant cyber incident. This gathering of federal regulators and corporate executives continued a recent trend of “public-private” tabletop exercises designed to identify weakness in the system and produce effective responses to cyber threats facing the financial services industry.

Participants in the meeting discussed a number of recent developments in the field of cybersecurity regulation, including the Presidential Policy Directive 41, which governs the Federal government’s response to significant cyber incidents, and the G7 Endorsement of the Fundamental Elements of Cybersecurity for the Financial Sector, which lays out a concise set of necessary features for enhanced cybersecurity for public and private entities in the financial sector.

The summit resulted in leaders from both the government and private sector committing to improved cybersecurity in the financial sector through stronger collaboration, including through the upcoming change in administration. The non-profit Financial Services Sector Coordinating is establishing a CEO cybersecurity council to meet with government counterparts in the future.

A summary of Treasury’s meeting with the financial services industry may be found here: https://www.treasury.gov/press-center/press-releases/Pages/jl0589.aspx.

Treasury Advisory to Financial Institutions on Cyber-events and Cyber-enabled Crime

The Financial Crimes Enforcement Network (“FinCEN”) of the Treasury Department issued an advisory to assist financial institutions in understanding current threats in the cybersecurity field and understand their Bank Secrecy Act (“BSA”) obligations regarding cyber-events and cyber-enabled crime.

The advisory touches on four important areas: 1) Reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (“SARs”); 2) Including relevant and available cyber-related information (e.g., Internet Protocol (“IP”) addresses with timestamps, virtual-wallet information, device identifiers) in SARs; 3) Collaborating between BSA/Anti-Money Laundering (“AML”) units and in-house cybersecurity units to identify suspicious activity; and 4) Sharing information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing and cyber-enabled crime.

FinCEN clarified that the advisory does not change existing BSA requirements or other regulatory obligations for financial institutions. Additionally, filing an SAR does not relieve financial institutions from any other applicable requirements to timely notify appropriate regulatory agencies of events concerning critical systems and information or of disruptions in their ability to operate. FinCEN also noted that the recently passed Cybersecurity Act of 2015 (“Cyber Security Information Sharing Act”), does not change any SAR-reporting requirements under the BSA, SAR confidentiality rules, or the safe harbor protections of the USA PATRIOT Act.

The FinCEN advisory may be found in its entirety here: https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf.