Federal regulators have issued an advanced notice of proposed rulemaking (ANPR) requesting public comment on a set of proposed cyber security risk management standards to be applied to large banks. The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are seeking public comment on a new set of standards to bolster the banking industry’s defenses amid an increasing threat of cybercrime.

The ANPR, which is open to public comment for 3 months, would apply to banks with a total of $50 billion worth of assets – affecting mostly larger banks and insurance companies. The regulation is proposed on the back of the idea that a cyber-attack causing significant disruption at one of these entities could have consequences that shake the stability of the entire U.S financial sector – an event that has proven to be an entirely likely – and perhaps inevitable –  scenario.

A Swift Response

This proposal comes as a result of the cyber heist on Bangladesh Bank earlier this year, where hackers were able to withdraw $101 million after infiltrating the SWIFT network – a worldwide network used by the majority of international banks through which payment orders are sent and received, enabling financial institutions to communicate transactions between accounts. The perpetrators were able to compromise Bangladesh Bank’s computer network and use malware that wrote and concealed unauthorized SWIFT messages to request nearly $1 billion from its account at the New York Federal Reserve Bank. Dozens more similar heists have taken place throughout the course of this year, all facilitated by fraudulent SWIFT messages requesting cash transfers from large banks.

Many experts in the cyber security industry anticipate financial messaging systems to be a weak link for some time to come. Yong-Gon Chon, Sunera's CEO, said, “the reality is that the current landscape of digital criminal activity means that threats are faceless and invisible. An invisible threat takes away the advantage of human instinct to suspect unusual activity. Consequently, it has never been more convenient for criminals to exploit the weakest links in the complex inter-networked chain that is our financial messaging system.”

Five Cyber Security Areas of Focus for Banks

Increased security in banking can’t come soon enough, as these sorts of attacks will continue as long as poor security principles remain largely unaddressed. The ANPR highlights 5 areas on which the new standards will focus, requiring an established policy for each of the following:

  • Cyber Risk Governance
  • Cyber Risk Management
  • Internal Dependency Management
  • External Dependency Management
  • Incident Response, Cyber Resilience and Situational Awareness

As evidenced by these areas of focus, avoiding breaches isn’t about having better technology. Rather, regulators are proposing to have banks formulate policies around these 5 areas in order to better prevent breaches and cyber heists, or, better respond to any potential attack and mitigate the disruption to the industry. Covered entities will have to establish goals for their recovery from a cyber-attack and assess their computer systems’ susceptibility to the spreading of malware.

Focal Point is a leading provider of cyber security and risk management services with deep experience serving the banking and financial industry. Our clients benefit from our diverse background in vendor risk management, IT risk assessments, business continuity planning, and penetration testing services. We are closely tracking the progress of the federal banking agencies’ influence in this area.