On October 30, 2020, the US federal banking regulators1 issued guidance on sound practices for the largest US banking organizations to strengthen their operational resilience, including with respect to cyber risk management (the “Guidance”).2 Operational resilience is an organization’s ability to prepare for, adapt to, withstand, and recover from disruptions and to continue operations. Disruptions may come from any type of internal or external operational risk and include technology-based failures, cyber incidents, pandemic outbreaks, and natural disasters.
The practices in the Guidance are characterized as being drawn from “existing regulations, guidance, statements, and common industry standards,” and the regulators maintain that the Guidance does not revise existing precedent or impose new requirements. However, the Guidance blurs the lines between rules, guidance, and supervisory expectations, and, therefore, regulators could expect the largest and most complex banking organizations to enhance operational resilience policies, procedures, and processes and associated control, monitoring, and testing to address the Guidance. Additionally, the Guidance blends concepts from different areas of banking law and, therefore, could be characterized as requiring organizations to reorganize compliance structures to coordinate activities that were previously conducted in silos.
As nonbinding guidance, the Guidance is immediately effective. Further, the regulators indicate that they intend to hold discussions in the coming months with the public to identify additional measures to improve operational resilience, and these additional measures may be incorporated into updates to the Guidance. Accordingly, banking organizations of all sizes should begin thinking about how the Guidance could or does impact them and how they might engage with the regulators during the discussions.3
In this Legal Update, we discuss the background of the Guidance and describe its practices for strengthening operational resilience and managing cyber risk.
Operational resilience has been recognized as an important issue for banking organizations for many years, even though US regulators had not published comprehensive rules or guidance on the topic.4 Rather, operational resilience was addressed in a piecemeal fashion as a goal or outcome of other regulatory initiatives, including recovery and resolution planning, enterprise-wide risk management, business continuity management, third-party risk management, and regulatory capital.
More recently, in 2016 the US regulators proposed establishing cyber risk management standards that would have had the explicit purpose of increasing operational resilience at larger banking organizations.5 This approach, however, was effectively abandoned in late-2017 in response to industry feedback on the need for a more flexible approach.6 Instead, the regulators indicated that they would articulate expectations for cybersecurity risk management and resilience in the form of guidance.7
Additionally, US regulators have been undertaking initiatives that require large and complex banking organization to adopt an enterprise-wide approach to aspects of risk management, and thereby, rationalize and integrate regulatory initiatives that were implemented in a piecemeal fashion. For example, the 2018 large financial institution rating system rulemaking, 2019 tailoring rulemaking, and 2020 stress capital buffer rulemaking were all intended to align and integrate regulatory requirements.8
International regulators also have focused on operational resilience in recent years. Earlier in 2020, the Basel Committee on Banking Supervision (“BCBS”) released proposed principles for operational risk and operational resilience that are intended to “mitigate the impact of potentially severe adverse events by enhancing banks’ ability to withstand, adapt to and recover from them.”9 These proposals have not been finalized by BCBS, but are largely aligned with the Guidance.
Scope of the Guidance
The Guidance directly applies to US banking organizations with: (a) $250 billion or more in total assets or (b) $100 billion in total assets and $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.
For these purposes, US banking organizations include national and state banks, savings associations, and US bank and savings and loan holding companies, but exclude US intermediate holding companies of foreign banking organizations.10 Accordingly, the Guidance applies to approximately 15 to 20 of the largest US banking organizations at the date of publication of this Legal Update.
Further, the Guidance reiterates that operational resilience is important to all banking organizations. Therefore, smaller banking organizations may be implicitly encouraged by their regulators to consider looking to the Guidance as a distillation of best practices and consider participating in the public discussion period.
Sound Practices for Operational Resilience
The Guidance describes seven categories of sound practices that US banking organizations may use to strengthen and maintain their operational resilience:
1. Governance. The Guidance contains six practices that US banking organizations may use to promote effective governance of operational resilience activities. These practices are primarily drawn from the three lines of defense model in the OCC’s heightened standards,11 but also incorporate concepts from the resolution planning rule and the advanced approaches component of the regulatory capital rule.12 For example, the Guidance suggests that an organization’s board of directors oversees the management of operational risk in first, second, and third lines of defense and holds management accountable for ensuring that each line adheres to the organization’s tolerance for disruption aligned with established risk appetite statements.
2. Operational Risk Management. The Guidance contains seven practices that US banking organizations may use to promote effective operational risk management. These practices rely on risk management framework of identifying, managing, and mitigating risks. However, these practices have been enhanced through tie-ins to the three lines of defense model and recovery and resolution planning expectations.
3. Business Continuity Management. The Guidance contains nine practices that promote business continuity management. These practices reflect the extensive guidance that has been issued by the regulators, such as the 2003 guidance on sound practices to strength the resilience of the US financial system and the 2019 information technology booklet on business continuity management. However, as with the other categories, the regulators weave in recovery and resolution planning concepts, such as ensuring that an organization can continue to deliver critical operations and core business lines through a disruption.
4. Third-Party Risk Management. The Guidance contains seven practices that promote management of third-party risk. This is another category for which there already is extensive guidance and includes key practices like implementing effective management and monitoring of third-party performance and reviewing tests of third-party systems and controls (e.g., System and Organization Controls (“SOC”) reports).
Interestingly, the Guidance contains a footnote stating that “12 U.S.C. 1867(c)(2) requires firms to notify the Agencies of service relationships.” While that is a true statement of language in the statute, the regulators have taken different approaches to implementing that language and the Guidance does not resolve those differences.13
5. Scenario Analysis. The Guidance contains five practices that promote scenario analysis, which is generally understood to be a type of stress testing in which a banking organization applies historical or hypothetical scenarios to assess the impact of various events and circumstances. For example, one of the practices listed in the Guidance is to back-test scenarios against past instances of severe disruption. More generally, these practices appear to merge stress testing and resolution planning concepts.
6. Secure and Resilient Information System Management. The Guidance contains five practices that promote secure and resilient information systems and also addresses practices for cyber risk management (discussed in the next section). The practices for information systems include common industry practices such as the implementation of controls to safeguard the integrity and availability of critical data against the impact of destructive malware, including ransomware, or other similar threats.
7. Surveillance and Reporting. The Guidance contains three practices to promote surveillance and reporting. Specifically, the Guidance contemplates reporting of operational risk exposures to senior management and the board of directors. In this regard, the Guidance is narrower than the BCBS proposal, which suggests that regulators “may wish to establish reporting mechanisms directly with banks and external auditors” for operational risk information, and a 2020 Federal Reserve Bank of Richmond staff paper, which suggested that the Federal Reserve or other regulators might collect information on cyber losses from banking organizations.14
Sound Practices for Cyber Risk Management
As has been anticipated since the regulators effectively abandoned the cyber risk management standards rulemaking in late 2017 in favor of a more flexible approach, the Guidance contains a list of 37 practices for managing cyber risk. These practices are tied to a modified version of the cybersecurity framework released by the National Institute of Standards and Technology (“NIST”), which contains five categories for Identification, Protection, Detection, Response, and Recovery.15 However, the regulators have extended the NIST framework by adding categories and practices for Governance and Third-Party Risk Management. Additionally, the Guidance clearly incorporates concepts from the three lines of defense and recovery and resolution planning expectations into the practices for managing cyber risk.
Interestingly, the Guidance mentions the regulators’ own framework for managing cyber risk and assessing cybersecurity preparedness, the FFIEC Cybersecurity Assessment Tool. However, the Guidance does not map the practices for cyber risk management to that framework, even though that is the framework that is used by bank examiners when benchmarking and assessing bank cybersecurity efforts.16 While federal regulators have not required banking organizations to adopt a framework for managing cyber risk, there are efficiencies to an organization adopting a framework and having that framework be the same as the one that is used by examiners.17 Therefore, the emphasis of the NIST framework in the Guidance may raise questions as to which framework the regulators will use in future examinations or will expect banking organizations to use.
The Guidance is largely consistent with the BCBS proposals and reflects the increased importance regulators and the industry are placing on operational resilience. Many of the practices in the Guidance should be familiar to banking organizations of all sizes and may already be in place.
However, the Guidance blurs the lines between rules, guidance, and supervisory expectations, and, therefore, regulators could expect the largest and most complex banking organizations to enhance operational resilience policies, procedures, and processes and associated control, monitoring, and testing to address the Guidance. The Guidance also blends concepts from different areas of banking law, and therefore, may require organizations to reorganize compliance structures to coordinate activities, such as resolution planning and stress testing, that were previously conducted in silos. Additionally, the Guidance does not cite a regulation or guidance document for each practice, and, therefore, some practices most likely reflect the adoption of conditions imposed in enforcement actions or common industry standards as supervisory expectations.
Therefore, we expect that largest US banking organizations may need to adjust existing risk and compliance programs to incorporate the Guidance’s descriptions of sound practices. Further, even smaller US banking organizations may consider following part or all of the Guidance to align with the regulators’ thinking around best practices.
Finally, it is possible that the Guidance will undergo further revision following the public dialogue that the regulators contemplate occurring in the coming months. We expect that this dialogue will be informed by the actions that BCBS takes with respect to its proposals and feedback from the industry, as well as the outcome of the US presidential election. Accordingly, while not invited from the regulators, once the public dialogue is underway, banking organizations of all sizes (and even some of the larger nonbank financial intermediaries) may consider submitting comment letters to proactively address practices in the Guidance and areas where changes may be warranted.
1 The US banking regulators are the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC”).
2 Press Release, Agencies release paper on operational resilience (Oct. 30, 2020), https://www.federalreserve.gov/newsevents/pressreleases/bcreg20201030a.htm.
3 While the Guidance does not apply to nonbank organizations, Vice Chair Quarles of the Federal Reserve has expressed concern regarding the resiliency of certain nonbank financial intermediaries. See Mayer Brown’s Legal Update regarding these concerns: https://www.mayerbrown.com/en/perspectives-events/publications/2020/10/feds-quarles-signals-reforms-may-be-needed-for-the-nonbank-sector. Therefore, larger nonbank financial intermediaries may want to consider the Guidance if looking for potential best practices.
4 E.g., Roger Ferguson, Jr., A Supervisory Perspective on Disaster Recovery and Business Continuity (Mar. 4, 2002) (“it is increasingly clear that the operational resilience of the largest institutions in key markets needs to reflect their systemic impact across the financial sector”).
5 81 Fed. Reg. 74,315 (Oct. 26, 2016). Shortly after the federal regulators issued the proposed standards, the New York Department of Financial Services finalized cybersecurity regulations for certain financial institutions in New York. See our Legal Update on the New York cybersecurity regulations: https://www.mayerbrown.com/en/perspectives-events/publications/2017/03/cybersecurity-ny-adopts-final-regulations-for-bank. These regulations have been referenced by others as a best practice for cybersecurity.
10 The Guidance does not address whether it would apply to a US bank holding company that also is a US intermediate holding company, nor how it would apply to a subsidiary bank of such a holding company (e.g., a large national bank that is indirectly controlled by a foreign banking organization). While not explicitly addressed in the Guidance, it presumably does not apply to US branches and agencies of foreign banking organizations.
11 12 C.F.R. pt. 30, app. D. See our Legal Update on the Institute of Internal Auditors’ recent revisions to the three lines of defense model, https://www.mayerbrown.com/en/perspectives-events/publications/2020/07/the-blurred-lines-of-organizational-risk-management.
13 Compare FDIC, FIL-49-99 (June 3, 1999) (requiring actual reporting of covered relationships), with, OCC, Bull. 2013-29, n.10 (Oct. 30, 2013) (requiring constructive reporting through maintenance of an inventory of third-party relationships).
14 Filippo Curti, et al., Cyber Risk Definition and Classification for Financial Risk Management, n.2 (updated July 14, 2020). Of course, regulators have the authority to request information from organizations on a case-by-case basis, but these requests would be non-public and not necessarily in a standardized format.
16 OCC, Bull. 2016-34, Frequently Asked Questions on the FFIEC Cybersecurity Assessment Tool (Oct. 17, 2016). The regulators mapped an earlier version of the NIST framework to the FFIEC Cybersecurity Assessment Tool, so organizations may be able to re-map the Guidance using that resource. See FFIEC, Appendix B: Mapping to NIST Cybersecurity Framework (June 2015).
17 E.g., Press Release, FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness (Aug. 28, 2019); Press Release, CFTC Encourages Standardized Approaches to Assessing Cybersecurity Preparedness, Including the FSSCC Cybersecurity Profile (July 16, 2020).