Federal Reserve Board Publishes Annual Cybersecurity and Financial System Reliance Report
On July 7, 2022, the Federal Reserve Board (“Board”) published its annual Cybersecurity and Financial System Resilience Report. The issuance of the report is mandated under the Consolidated Appropriations Act, 2021[1] (“CAA”), which requires the Board to provide a description of measures Board it “has undertaken to strengthen cybersecurity within the financial services sector and with respect to the Board’s functions as a regulator, including the supervision and regulation of financial institutions and third-party service providers.”
At the outset, the Board “recognizes the increasing and evolving nature of cybersecurity threats to the financial system.” As such, the supervision of financial institutions has evolved to include the “review and monitoring of institutions’ cybersecurity risk management and information technology programs.”
According to the Board, this evolution is evidenced by the issuance of cyber security-related regulations and guidance, as well as the inclusion of cybersecurity-risk management in the Board’s review procedures and as a focal point of their risk-management programs.
In furtherance of this intention, the Board has “developed, documented, and implemented a comprehensive and robust agency wide security program to protect the information and the information systems that support its operations and assets.” Further, the security programs utilized by the Board are those which are in compliance with Federal Information Security Management Act of 2002 (“FISMA”) and National Institute of Standards and Technology (“NIST”) — another practice recommended to the general public by the Board.
The Board also outlined the current and emerging cybersecurity threats to the financial system. Amongst others, such threats include:
Ransomware as a Service (“RaaS”) – an emerging threat in which sophisticated threat actors create “franchised” threat offerings by utilizing their software against other malicious actors to gain a percentage of the ransom demanded by the original malicious actor.
Sophisticated Distributed Denial-of-service attack (“DDoS”) threats – a more traditional threat that maintains prevalence in current and evolving markets, in which threat actors make a machine or a network source unavailable to its users “by overwhelming the target or its surrounding infrastructure with disruptive traffic.”
According to the Board, there are also a myriad of threats emerging due to the emerging technology-related influence in the financial sector—financial technology companies (“fintechs”). The use of digital assets and data sharing between financial institutions and third-parties that are vital to the operation of fintechs creates increased cyber exposure.
[1] https://www.congress.gov/116/plaws/publ260/PLAW-116publ260.pdf