On December 14, the Financial Stability Oversight Council (FSOC), which was established by the Dodd-Frank Act to analyze and mitigate potential threats to the financial sector, released its first report under the Trump administration (the “Report”). FSOC is comprised of representatives from each of the federal financial regulators, including the CFPB. Mick Mulvaney, President Trump’s designee as CFPB Acting Director, signed the report on behalf of the CFPB.
Among other risk areas discussed in the Report, the FSOC identifies cybersecurity as the first area of risk to be addressed by financial institutions. The FSOC also calls on the federal financial regulatory agencies and the Treasury Department to ensure that banking institutions and third parties are adequately safeguarding against cyber intrusions. Specifically, the Report urges improvement in the following areas:
- Executive Oversight. The FSOC “underscores the necessity of sustained senior-level attention on cybersecurity risks and their potential systemic implications.” To that end, the FSOC recommends the creation of a council of senior executives that would be focused on cybersecurity issues and responsible for liaising with regulators.
- Information Sharing. In order to develop a better understanding of operational risks, improve risk-mitigation efforts, and enhance the financial sector’s security and resilience, the FSOC encourages the sharing of threat information and known vulnerabilities among government agencies and between the public and private sectors.
- Cybersecurity Standards. The FSOC recommends that financial regulators establish a “harmonized risk-based approach” when addressing cybersecurity among financial institutions, including utilizing the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework) and developing a common lexicon when discussing these issues with regulated companies. The Report notes that a common lexicon should be created within both the domestic and international financial sectors, and points to the approaches of other G7 countries for instruction.
- Third-party Service Providers. The FSOC encourages financial institutions to address cybersecurity risks related to third-party service providers and adopt the use of appropriately tailored language in vendor contracts.
- Coordination of Response and Recovery Processes. The Report states that the Financial and Banking Information Infrastructure Committee (FBIIC) should continue to promote processes to strengthen response and recovery efforts while working closely with the Department of Homeland Security (DHS), law enforcement, and industry partners to carry out regular cybersecurity exercises.
Financial institutions and their service providers should enhance their cybersecurity protocols to address the Report’s recommendations. Based on the Report, we suggest that companies, at a minimum, consider preparing Board presentations that appropriately discuss the legal risks associated with cybersecurity, implementation of the NIST Framework as appropriate, and incorporation of cybersecurity provisions into vendor contracts.