Recently, the Federal Reserve Board (Fed) published its annual Cybersecurity and Financial System Resilience report describing measures it has taken to strengthen cybersecurity in the financial services sector, including the supervision and regulation of financial institutions and third-party service providers.
The report highlights an increase in the number of cyber threats. Ransomware, in particular, has been rampant, and the effects of ransomware attacks could be particularly deleterious to smaller banking organizations. Increasing geopolitical events, such as Russia’s invasion of Ukraine, have also lead to the potential for increase in cyberattacks in the U.S., which could affect financial systems. Finally, the Fed acknowledges that a cyberattack of a vendor or third party could impact banks due to supply chain compromise.
Putting It Into Practice: The Report highlights the importance that the Fed has placed on cyber-risk mitigation and cyber resilience initiatives and is a good reminder for financial institutions that as the risks increase, they should prioritize their cyber security protocols and should use the Fed’s guidelines to mitigate risk. This latest report is consistent previous rulemaking from the Fed, OCC, and FDIC to improve information sharing about cyber incidents that may affect the U.S. banking system that, among other things, requires banking organizations to inform their primary federal regulator no later than 36 hours after a determination that a “computer-security incident” has reached the level of a “notification incident” (we discussed this rulemaking in previous blog posts here and here).