Rock and a Hard Place: Banks In Search of Compliance Amid Diverging Regulatory Regimes
Last year was the first that national banks and federal savings associations subject to supervision by the Office of the Comptroller of the Currency (“OCC”) were armed with a sense of the agency’s regulatory expectations when it came to cybersecurity. As we noted early last year, in an agency report, the OCC specified that, going forward, examiners would use the Cybersecurity Assessment Tool issued by the Federal Financial Institutions Examination Council, in conjunction with other factors, to determine a bank’s ability to detect, prevent and respond to cyber threats. While not the definitive guidance the industry had been looking for, the Cybersecurity Assessment Tool added another analytical reference point to the cyber-regulatory regime. Using the agency’s Cybersecurity Assessment Tool, regulated banks are able to use the OCC’s framework, focusing on “inherent risk” levels and systemic “maturity,” to prepare themselves for upcoming OCC examinations and related scrutiny as to their cyber defenses. Indeed, just this month, OCC released its semiannual risk perspective, identifying cyber threats as an increasing operational risk, especially as regulated banks rely ever more heavily on third-party providers to execute critical functions.
This year, as many of those same regulated banking institutions re-evaluate their cyber-risk profile, they will face yet another layer of regulatory requirements on the cyber front: namely, the regulation promulgated by the New York Department of Financial Services (“DFS”) that is scheduled to become effective on March 1, 2017. As we have reported, that regulation will impose a sweeping data security scheme on financial institutions including board and C-suite requirements, mandated development and maintenance of a comprehensive, written cybersecurity “program,” and a litany of other requirements.
As a practical matter, for banks that labor under both regulatory regimes, upcoming questions to explore will focus on the overlap between the two regulatory schemes, but perhaps more importantly, areas of disconnect. That is, while 2016 may have been spent re-tooling an organization’s cyber protocols with OCC’s recent guidance in mind, how will such banks have to further refine their policies and systems to ensure compliance with heightened requirements of DFS? For example, under the OCC’s rubric—measuring comparative risk relative to an institution’s cyber “maturity”—one broad consideration is the gap between an institution’s inherent risk and maturity analysis, i.e., the extent to which an individual bank’s cybersecurity systems, processes, policies, and procedures are consistent with its self-described risk profile. And part of an institution’s inherent risk analysis is consideration of involvement by the bank’s board of directors. On the other hand, the proposed DFS regulation requires engagement by a company’s board of directors, including annual board approval of the company’s cybersecurity policies.
Similarly, while OCC’s guidance included analytical factors relating to “external dependency management” (i.e., a bank’s handle on third-party cyber controls), DFS requires such protocols as a baseline for compliance, although each financial institution will have some discretion in fashioning the third-party policies to fit the institution’s risk profile. As to these issues arising from use of third-party providers, OCC has noted that many “banks have increasingly leveraged and become dependent on third-party service providers to support key operations within their institutions.”
Of course, banks need not only consider DFS’s new rules going into 2017. Last October, the OCC, FDIC, and the Federal Reserve released an advanced notice of proposed rulemaking that would impose heightened cybersecurity standards on many large financial institutions. According to the notice, those “agencies are considering establishing enhanced standards to increase the operational resilience of [regulated banks] and reduce the impact on the financial system in case of a cyber event experienced by one of these entities.” If these additional rules are realized, they will represent yet another compliance overlay for banks seeking uniform compliance and regulatory certainty. But the banking industry is already pushing back against the proposal as being too prescriptive. In a letter to the Board of Governors of the Federal Reserve, the OCC, and the Federal Deposit Insurance Corporation, the U.S. Chamber of Commerce said that, although the industry supports effective cybersecurity standards, the proposal is “built around static checklists … likely to distract or divert financial institutions away from measures that will more effectively protect the financial system from the most critical cyber risks.”
Financial institutions subject to both federal and DFS regulation will be faced with the task of trying to reconcile – and comply with – different regulatory regimes. The federal proposal is still in the comment phase and the DFS regulation will likely be revised before its March 1st implementation date. We will continue to report on both initiatives.