FSOC Cautions Industry About Cybersecurity Risks

Financial Services Law

Cybersecurity threats are the biggest challenge facing the financial services industry, the Financial Stability Oversight Council (FSOC) declared in its annual report, calling on federal regulators to ensure that banks are taking appropriate steps to protect their businesses.

What happened

Established by the Dodd-Frank Wall Street Reform and Consumer Protection Act, the FSOC is made up of representatives from each of the federal financial regulators. As in prior years, the report highlighted the major risks currently facing financial institutions.

At the top of the list: cybersecurity. The threat of cyber incidents continues to grow, the FSOC cautioned, and federal regulators need to ensure that the industry is taking all necessary precautions. To improve safety and mitigate risks, the report posits several suggestions.

Emphasizing “the necessity of sustained senior-level attention” to cybersecurity risks, the FSOC recommended the creation of a council of senior executives specifically focused on cybersecurity. This council could address ways that cyber incidents could impact business operations and market functioning, liaise with principal-level government counterparts on cybersecurity issues, identify specific vulnerabilities in the financial sector’s ability to provide critical products and services, and propose standards for cybersecurity and operational resistance, the report notes.

Information sharing across the private and public sectors can also help with operational risks, the FSOC said. “Sharing cybersecurity information, including ‘indicators’ of potential threats, can have a number of security benefits,” the report explains. “For example, one type of indicator can be used to reduce the time needed to discover that a compromise has occurred so that further damage can be avoided. Another can block attacks using known malware.”

Appropriate standards need to be in place for financial institutions, with the FSOC recommending use of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. “Baseline protections aid in the establishment of cybersecurity risk management programs to increase situational awareness, elevate cyber-risk governance practices, and reduce supply-chain risk,” the report states.

Adding even more value, use of the NIST framework will help establish a “common lexicon” among financial institutions for discussing cybersecurity issues, both in the United States and with international counterparts, the FSOC said.

Not surprisingly, the FSOC spilled some ink on third-party service providers, urging banks to include such entities, as well as any vendor contracts, in their cybersecurity plans and policies. The report “encourages additional collaboration between government and industry on addressing cybersecurity risk related to third-party service providers, including an effort to promote the use of appropriately tailored contracting language.”

Cybersecurity is not the only topic addressed in the report, which also discusses developments in the industry. While praising the benefits of innovation (reducing transaction costs and increasing credit availability, for example), the FSOC warned that new applications of technology “can be disruptive and can create risks and vulnerabilities that are difficult to anticipate.” In light of these uncertainties, the FSOC urged financial regulators “to continue to identify and study new products and services in order to understand how they are used and can be misused, monitor how they affect consumers, regulated entities, and financial markets, and coordinate regulatory approaches, as appropriate.”

Specifically referencing virtual currencies, distributed ledger technologies and marketplace lending, the report notes that federal regulators “should also evaluate the potential effects of new products and services on financial stability, including operational risk.”

To read the FSOC’s 2017 report, click here.

Why it matters

The federal banking regulators reinforced the cybersecurity risks facing the industry and offered several suggestions to help mitigate that risk and improve safety for financial institutions.