In response to the heightened cyber-security risk facing the financial services industry and other critical business sectors, FDIC and OCC issued an interagency statement on heightened cyber-security risk. The agencies issued this statement to remind supervised financial institutions of sound cyber-security risk management principles that can reduce the risk of a cyber-attack and minimize business disruptions.
These principles elaborate on standards articulated in the Interagency Guidelines Establishing Information Security Standards as well as resources provided by FFIEC, such as the Statement on Destructive Malware. While preventive controls are important, financial institution management should be prepared for a worst-case scenario and maintain sufficient business continuity planning processes for the rapid recovery, resumption, and maintenance of the operations of an institution. The following are the key highlights of the statement:
- The Department of Homeland Security has indicated there is heightened risk of cyber-attack against U.S. targets because of increased geopolitical tension.
- The current environment provides an opportunity for banks to re-evaluate the adequacy of safeguards to protect against various types of cyber-security risk.
- The attached Heightened Cybersecurity Risk document highlights principles previously articulated by FDIC and other banking regulators including: business resilience, authentication, system configuration, security tool, data protection, and employee training.
- When banks apply cyber-security risk management principles and risk mitigation techniques, they reduce the risk of the success of a cyber attack and minimize the negative impacts of a disruptive and destructive cyber attack.
- Joint Statement
- Guidelines Establishing Information Security Programs
- FFIEC Cyber-Security Awareness Resources
Keywords: Americas, US, Banking, Cyber Risk, Cyber Attack, Business Continuity, Cyber Security, OCC, FDIC
The Australian Prudential Regulation Authority (APRA) found that Heritage Bank Limited had incorrectly reported capital because of weaknesses in operational risk and compliance frameworks, although the bank did not breach minimum prudential capital ratios at any point and remains well-capitalized.
The Office of the Superintendent of Financial Institutions (OSFI) released the annual report for 2020-2021.
The Australian Prudential Regulation Authority (APRA) published, along with a summary of its response to the consultation feedback, an information paper that summarizes the finalized capital framework that is in line with the internationally agreed Basel III requirements for banks.
The Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) issued a consultative report focusing on access to central counterparty (CCP) clearing and client-position portability.
The Australian Prudential Regulation Authority (APRA) released the final Prudential Practice Guide on management of climate change financial risks (CPG 229) for banks, insurers, and superannuation trustees.
The European Banking Authority (EBA) Single Rulebook Question and Answer (Q&A) tool updates for this month include answers to 10 questions.
The European Commission, or EC, finalized the Implementing Regulation 2021/2017 with respect to the benchmark portfolios, reporting templates, and reporting instructions for the supervisory benchmarking of internal approaches for calculating own funds requirements.
The European Commission (EC) has adopted a package of measures related to the Capital Markets Union.
The European Council adopted its position on two proposals that are part of the digital finance package adopted by the European Commission in September 2020, with one of the proposals involving the regulation on markets in crypto-assets (MiCA) and the other involving the Digital Operational Resilience Act (DORA).
The Prudential Regulation Authority (PRA) is proposing, via the consultation paper CP21/21, to apply group provisions in the Operational Resilience Part of the PRA Rulebook (relevant for the Capital Requirements Regulation or CRR firms) to holding companies.