Upload File

memorandum to: the board of directors from: … anpr would invite comment on the agencies'...

  • Home
  • Documents
  • MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)
7
MEMORANDUM TO: The Board of Directors FROM: Doreen R. Eberley Director, Division of sk Management Su vision DATE: October 6, 2016 SUBJECT: ANPR- Enhanced Cyber Risk Management Standards Summary of Staff Recommendation Staff recommends that the Board of Directors (Board) of the Federal Deposit Insurance Corporation (FDIC) approve the attached Advance Notice of Proposed Rulemaking entitled Enhanced CybeN Risk Management Standards (ANPR) and authorize publication of the ANPR in the Fedej~al Register° fora 90 -day comment period. The ANPR would be issued jointly by the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the FDIC (collectively, the Agencies). The ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards) for the largest and most interconnected entities under their supervision and those entities' service providers. The enhanced standards would be intended to increase the entities' operational resilience and reduce the impact on the financial system in the event of a failure, cyber attack, or the failure to implement appropriate cyber risk management. The enhanced standards would cover five categories: (1) cyber risk governance, (2) cyber risk management, (3) internal dependency management, (4) external dependency management, and (5) incident response, cyber resilience, and situational awareness. At the end of each section of the ANPR, the Agencies have included specific questions on which they are requesting comment. Concur: ~~ I ' Charles Yi, General Counsel

Upload: nguyentram

Post on 19-Mar-2018

214 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

MEMORANDUM TO: The Board of Directors

FROM: Doreen R. Eberley

Director, Division of sk Management Su vision

DATE: October 6, 2016

SUBJECT: ANPR- Enhanced Cyber Risk Management Standards

Summary of Staff Recommendation

Staff recommends that the Board of Directors (Board) of the Federal Deposit InsuranceCorporation (FDIC) approve the attached Advance Notice of Proposed Rulemaking entitledEnhanced CybeN Risk Management Standards (ANPR) and authorize publication of the ANPR inthe Fedej~al Register° fora 90-day comment period. The ANPR would be issued jointly by theBoard of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of theCurrency (OCC), and the FDIC (collectively, the Agencies).

The ANPR would invite comment on the Agencies' consideration of enhanced cyber riskmanagement standards (enhanced standards) for the largest and most interconnected entitiesunder their supervision and those entities' service providers. The enhanced standards would beintended to increase the entities' operational resilience and reduce the impact on the financialsystem in the event of a failure, cyber attack, or the failure to implement appropriate cyber riskmanagement. The enhanced standards would cover five categories: (1) cyber risk governance,(2) cyber risk management, (3) internal dependency management, (4) external dependencymanagement, and (5) incident response, cyber resilience, and situational awareness.

At the end of each section of the ANPR, the Agencies have included specific questions on whichthey are requesting comment.

Concur:

~~

I'

Charles Yi, General Counsel

Page 2: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

Background

Financial institutions and consumers have become increasingly dependent on informationtechnology (IT) to facilitate financial transactions. The largest and most complex financialinstitutions rely heavily on IT to engage in national and international banking activities and toprovide critical services to the financial sector and the U.S. economy. As this dependencegrows, so does the opportunity for high-impact IT failures and cyber-attacks. Due to theincreasing inter connectedness of the U. S . financial system, a cyber incident or IT failure at oneentity may impact the safety and soundness of other financial entities and introduce potentiallysystemic consequences.

Depository institutions and depository institution holding companies play an important role inU.S. payment, clearing, and settlement arrangements, and provide access to credit for businessesand households. Non-bank financial companies supervised by the FRB perform criticalfunctions for the U.S. financial system, and financial market infrastructures (FMIs) facilitate thepayment, clearing, and recording of monetary and other financial transactions and services andplay critical roles in fostering financial stability in the U.S. Non-financial institution third partiesthat provide payments processing, core banking (e.g., transactional account, loan, and mortgageprocessing), and other IT services to the foregoing also play a vital role in the financial sector.

For these reasons, the Agencies wish to publish this ANPR to solicit public comment on a seriesof specific proposed standards for certain large and interconnected financial entities, relating tohow those entities identify, measure, mitigate, and monitor various types of cyber risks. Theproposed standards draw significantly on existing guidance and best practices issued by, amongothers, the federal banking agencies, the National Institute of Standards and Technology, andindustry organizations, and should already be broadly familiar to most of the entities that fallwithin the proposed scope. Through a series of questions posed in connection with each aspectof the proposed standards, the ANPR solicits public comment in several areas, including thestringency of various proposed standards; their comprehensiveness and effectiveness inachieving the Agencies' objectives; the feasibility of compliance; costs and benefits to thecovered entities; practical challenges in implementing controls that address the standards; currentpractices that may already address the risks identified by the Agencies; and alternative proposalsand standards that the Agencies may not have considered.

The enhanced standards would be integrated into the existing IT supervisory framework. TheAgencies are considering implementing the standards in a tiered manner:

• EnhafZced standaNds would apply to all systems of covered entities.

• Secto~~ c~iticcrl standards, the highest level, would apply to systems of covered entitiesdetermined by the Agencies to be critical to the financial sector.

Scope

The Agencies are proposing that the enhanced standards apply to the following:

• Those U.S bare holding companies, U.S. operations of foreign banking organizations,and U.S. savings and loan holding companies with total consolidated assets of $50 billionor more;

Page 3: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

• Non-bank subsidiaries of covered bank holding companies;

• Non-bank financial companies supervised by the FRB pursuant to section 165 of theDodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act);

• Financial market utilities (FMUs) designated by the FSOC for which the FRB is thesupervisory agency pursuant to sections 805 and 810 of the Dodd-Frank Act;

• Financial market infrastructures (FMIs) over which the FRB has primary supervisoryauthority;

• FMIs that are operated by the Federal Reserve Banks;• Depository institutions and any subsidiaries thereof with total consolidated assets of $50

billion or more, under the respective jurisdictions of each of the Agencies; and

• Third-party service providers with respect to services provided to covered depositoryinstitutions. and their affiliates.

The Agencies are also considering requiring nonbank financial companies and Board-supervisedFMIs to verify that any services received from third parties are subject to the same standards thatwould apply if the services were being conducted by those entities directly.

Cyber Risk Management Standards

The Agencies are considering organizing the enhanced standards into five categories:

• Cyber risk governance;

• Cyber risk management;• Internal dependency management;• External dependency management; and• Incident response, cyber resilience, and situational awareness.

CvbeY risk governance: This entails developing and maintaining a formal cyber riskmanagement strategy, as well as a framework of policies and procedures to implement thestrategy, that are integrated into the overall strategic plans and governance stl-uctures of coveredentities. These standards would provide that the board of directors of a covered entity beresponsible for approving the entity's cyber risk management strategy and for holding seniormanagement accountable for establishing and implementing appropriate policies consistent withthe strategy.

Specifically, the Agencies are considering requiring covered entities to develop a written, board-approved, enterprise-wide cyber risk management strategy that is incorporated into the overallbusiness strategy and risk management of the firm. Further, the board would be expected toreview and approve an enterprise-wide cyber risk appetite and tolerances. The Agencies areconsidering requiring the board of a covered entity to have adequate expertise in cybersecurity orto maintain access to personnel with such expertise. Also, the Agencies are consideringrequiring senior leaders with responsibility for cyber risk oversight to be independent of businessline management and have direct independent access to the board.

CVber risk mana~emerzt: The enhanced standards being considered would require coveredentities to integrate cyber risk management into at least three independent functions: (1) businessunits, (2) independent risk management, and (3) audit.

3

Page 4: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

Business units responsible for day-to-day business functions would be required to assess cyberrisks associated with business activities on an ongoing basis and share that information withsenior management, including the chief executive officer. Business units would also be requiredto adhere to procedures and processes to effectively identify, measure, monitor, and controlcyber risk consistent with the entity's risk appetite and tolerances. They would also be expectedto ensure that they maintain, or have access to, resources and staff with the skill sets needed tocomply with the unit's cybersecurity responsibilities.

The Agencies are considering requiring covered entities to incorporate enterprise-wide cyber riskmanagement into the responsibilities of an independent risk management function. This functionwould report to the entity's Chief Risk Officer and board regarding implementation of the cyberrisk management framework. Independent risk management would be required to continuouslyidentify, measure, and monitor cyber risk across the enterprise, and determine whether controlsare consistent with established risk tolerances. Entities would be required to assess thecompleteness, effectiveness, and timeliness with which they achieve aggregate residual risklevels established by the board.

The Agencies are considering requiring the audit function to assess whether a covered entity'scyber risk management framework complies with applicable laws and regulations and isappropriate for its size, complexity, interconnectedness, and risk profile. Further, audit would berequired to incorporate an assessment of cyber risk management into the entity's overall auditplan. More specifically, the audit would be required to include an evaluation of penetrationtesting and other vulnerability assessment activities, as appropriate to the covered entity.

Internal dependency management: The Agencies are considering requiring covered entities tointegrate an internal dependency management strategy into the overall strategic plan to ensurethat roles and responsibilities for internal dependency management are well defined; to establishand update policies, standards, and procedures to identify and manage cyber risks associatedwith internal assets throughout the assets' lifespans; to ensure appropriate oversight to monitoreffectiveness in reducing cyber risks associated with internal dependencies; and to adoptappropriate compliance mechanisms.

The Agencies are considering requiring covered entities to maintain an inventory of all businessassets on an enterprise-wide basis, prioritized according to the assets' criticality to the businessfunctions they support, the firm's mission, and the financial sector. The Agencies are alsoconsidering requiring covered entities to establish and apply appropriate controls to address theinherent cyber risk of their assets, taking into account the prioritization of the entity's businessassets and the cyber risks they pose to the entity.

External dependency management: The Agencies aYe considering requiring covered entities tointegrate an external dependency management strategy into the overall strategic managementplan to ensure that roles and responsibilities for external dependency management are well-defined; to establish and update policies, standards and procedures throughout the lifespan of therelationship; and to adopt appropriate metrics to measure effectiveness and compliance.

The Agencies are also considering requiring covered entities to have a cu1-~ ent, accurate,complete, and prioritized awareness of all external dependencies and tzusted connectionsenterprise-wide based on their criticality to the business functions they suppol-t, the firm's

C!

Page 5: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

mission, and the financial sector. Entities should support the continued reduction of the cyberrisk exposure of external dependencies until the board-approved cyber risk tolerance level isachieved.

In addition, the Agencies are considering requiring covered entities to analyze and address thecyber risks that emerge from reviews of their external relationships, and identify and periodicallytest alternative solutions in case an external partner fails to perform as expected.

Incident response, cvbe~ resilience, and situational awareness: Under the enhanced standardsbeing considered, covered entities would be required to be capable of operating critical businessfunctions in the face of cyber-attacks and continuously enhance their cyber resilience. TheAgencies are considering requiring covered entities to establish and implement plans to identifyand mitigate the cyber risks posed through interconnectedness to sector partners and externalstakeholders to prevent cyber contagion.

The Agencies are also considering requiring covered entities to establish and implementstrategies to meet their obligations for performing core business functions in the event of adisruption, including the potential for multiple concuz-rent or widespread interruptions and cyber-attacks on multiple elements of interconnected critical infrastructure, such as energy andtelecommunications.

In addition, the Agencies are considering requiring covered entities to establish protocols forsecure, immutable, off-line storage of critical records, including financial records, loan data,asset management account information, and daily deposit records, including balances andownership details, formatted using certain defined data standards to allow for restoration byanother financial institution, service provider, or the FDIC as receiver.

The Agencies are considering requiring entities to establish plans and mechanisms to transferbusiness, where feasible, to another service provider or entity with minimal disruption and withinprescribed timeframes if the covered entity or service provider is unable to perform.

The Agencies are considering requiring entities to conduct specific testing that addressesdisruptive cyber events that could affect their ability to service clients.

Lastly, the Agencies are considering requiring entities to maintain on ongoing situationalawareness of their operational status and cybersecurity posture to pre-empt cyber events andrespond rapidly to them.

Sector Critical Systems

The Agencies are considering application of the enhanced standards to the systems of all coveredentities, with higher Sector Critical Standards applying to systems of covered entities that aredeemed critical to the financial sector. In defining sector critical systems, the Agencies proceedfrom the Interagency Paper on ,Sound Practices to S't~engthen the Resilience of the U.S.Financial ,System, published in 2003. The Agencies are considering that the following beregarded as sector critical systems:

• Systems that support the clearing or settlement of at least five percent of the value oftransactions (on a consistent basis, to be defined) in one or more of the markets for

5

Page 6: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

 

6  

federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity securities;

Systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis, to be defined) in other markets (e.g., exchange-traded and over-the-counter derivatives) or support the maintenance of a significant share (e.g., five percent) of the total U.S. deposits or balances due from other depository institutions in the U.S.;

Systems that provide key functionality (to be defined) to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (e.g., due to incompatibility) if significantly disrupted;

Systems of non-covered entities supervised by an Agency that are otherwise determined by the Agencies to provide critical functionality to the financial sector, following notice to the entity and an opportunity to respond; and

Services provided by third parties that support covered entities’ sector-critical systems.

For sector critical systems, the Agencies are considering requiring covered entities to minimize the residual risk of such systems by implementing the most effective, commercially available controls.

The Agencies are also considering requiring covered entities to establish a recovery time objective of two hours for their sector critical systems, validated by testing, to recover from a disruptive, corruptive, or destructive cyber event.

Implementation of the Standards

The Agencies are considering three mechanisms for implementing the enhanced standards:

A regulation requiring entities to maintain a risk management framework for cyber risks, in conjunction with supervisory guidance that describes minimum expectations for the framework;

A regulation that imposes specific cyber risk management standards; or A regulation that would include details on the specific objectives and practices a covered

entity would be required to achieve in each area of concern in order to demonstrate that the entity’s cyber risk management program could adapt to changes in the entity’s operations and to the evolving cybersecurity environment.

Page 7: MEMORANDUM TO: The Board of Directors FROM: … ANPR would invite comment on the Agencies' consideration of enhanced cyber risk management standards (enhanced standards)

Recommendation

Staff recommends that the Board approve the attached Resolution to adopt and authorize for

publication in the FedeNal Register the attached ANPR for public comment.

RMS Contacts: Mark Moylan, Deputy Director (x40867)

Don Saxinger, Senior Examination Specialist (x40214)

Legal Contact: John Dorsey, Counsel (x83 807)

~iiiacnments


Page 1/13 CARMEN ANPR INSTALL GUIDEdoc.arh.hu/carmen/freeflow/carmen_anpr_install_guide.pdf · Page 6/13 CARMEN ANPR INSTALL GUIDE INSTALLING CARMEN® ANPR 1. SYSTEM REQUIREMENTS

anpr experts - ANPR Cameras & Systems - Traffic Automationtrafficauto.co.uk/brochures/anpr-brochure.pdf · Customer Support... Traffic Automation is one of the industry leaders in

With a focus in Nurse Anesthesia · ANPR 500 Orientation 113 ANPR 505 Basic Arrhythmia/12-Lead EKG 113 ANPR 590 Advanced Physical Health Assessment for Nurse Anesthetists 113 ANPR

siemens.com/mobility The Sicore ANPR camera system · The Sicore ANPR camera system Setting new standards in automated vehicle recognition ... of the vehicle. The integrated image

STANDARDS OF L ENHANCED SCOPE SEQUENCE - VDOE :: Virginia

Wisenet WAVE Wisenet Automatic Incident Detection Solution ... · ANPR & Safe City Cloud ANPR enabled X series cameras & Safe City Cloud solution • Comprehensive ANPR edge camera

ANPR Cameramultimedia.3m.com/mws/media/968661O/anpr-camera.pdf...3M™ ANPR Camera ANPR camera with built in illuminator and processor. Overview Featuring high memory storage and fast

RAISING THE STANDARDS: ENHANCED CATALYTIC PERFORMANCE FOR ...qsinano.com/wp-content/uploads/2016/08/QSI-Ammonia-Whitepaper-0… · raising the standards: enhanced catalytic performance

Seminar on anpr 1

ANPR Report

Anpr general applications

History of ANPR

ANPR Een gedroomde technologie ?

Targeted Enforcement using WIMS & ANPR Phil Stokes · PDF fileDriver and Vehicle Standards Agency incorporating DSA and VOSA Targeted Enforcement using WIMS & ANPR Phil Stokes –

The Enhanced Classroom Development Process: Standards and Practices

History and Social Science Standards of Learning Enhanced

ENGLISH STANDARDS OF LEARNING ENHANCED SCOPE SEQUENCE … 1/VDOE... · English SOL Enhanced Scope and Sequence for Grades 6–8: READING . ENGLISH STANDARDS OF LEARNING. ENHANCED

Localisation des caméras ANPR sur le réseau routier … ANPR... · Localisation des caméras ANPR sur le ... (essentiellement selon les comptages routiers et les statistiques d’accidents

ANPR ACCESS ANPR ACCESS HD - · PDF fileANPR ACCESS | INSTALLATION GUIDE Getting Started 5/36 2 GETTING STARTED 2.1 MOUNTING THE ANPR Determine how to mount the ANPR. Onto a

Secretarial Standards- Enhanced Role of CS - ICSI Role... · Secretarial Standards-Enhanced Role of CS N K Jain ... “Secretarial Standards” means secretarial ... N K Jain B.Sc,

Dodd-Frank Enhanced Prudential Standards for … Polk & Wardwell LLP davispolk.com CLIENT MEMORANDUM Dodd-Frank Enhanced Prudential Standards for Foreign Banking Organizations

National ANPR Standards for Policing Part 2 Infrastructure ... · PDF fileNational ANPR Standards for Policing Part 2 – Infrastructure Standards Version 2.0 October 2014

Forum for Enhanced Reliability and Maintainability Standards

Automatic Number Plate Recognition (ANPR) System Number Plate System.pdf · Automatic Number Plate Recognition (ANPR) System ANPR system has become an extremely critical technology

National ANPR Standards for Policing and Law Enforcement · These standards articulate the requirements with which the police and other Law Enforcement Agencies (LEA), as detailed

Intelligent Data - ANPR Capability

Fusion ANPR - Honeywell INTRODUCTION PRODUCT DESCRIPTION Fusion ANPR is one of a range of leading edge products designed for Microsoft Windows™. Fusion ANPR is an ANPR …

National ANPR Standards for Policing Part 2 ANPR ...library.college.police.uk/docs/APPREF/National-ANPR-standards-part... · was National ACPO ANPR Standards - NAAS v 4.13) 2 Applicability

Enhanced Nutrition Standards for Child Care

2MP HD ANPR Network Camera - TVT CCTV INDIAtvtcctvindia.com/PDF/ANPR/ANPR-A3-LR-IPC-Introduction.pdf · 2020. 6. 4. · ANPR technology can extract license plates from complex backgrounds,

Enhanced Prudential Standards: The Federal …media.mofo.com/files/uploads/Images/120123-Enhanced...has authority to apply enhanced standards to bank holding companies with less than

GUIDA AD ANPR Introduzione - · PDF fileGUIDA AD ANPR Introduzione L’Anagrafe Nazionale della Popolazione Residente (ANPR), è la banca dati nazionale nella quale confluiranno progressivamente

ANPR PowerPoint

Optical Transport Networks- Enhanced Hierarchy Standards · 2018. 5. 2. · Ericsson Broadband Networks Rome 3-5 Nov 2009 Optical Transport Networks-Enhanced Hierarchy Standards

Federal Reserve Proposes Enhanced Prudential Standards for Large