U.S. Cyber Incident Reporting for Critical Infrastructure Act
With critical infrastructure (such as power plants) being increasingly targeted by cyber criminals, legislatures are taking steps to protect these assets. The U.S. Cyber Incident Reporting for Critical Infrastructure Act was signed by President Biden in March 2022. It goes into effect in 2023.
The Act creates two new reporting obligations on owners and operators of critical infrastructure:
- An obligation to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) within 72 hours
- An obligation to report ransomware payments within 24 hours
CISA is required to aggregate reports and share information. At this time, there are no current provisions for enforcement.
The Act is also targeted at 16 industries that are deemed to be critical: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.
FFIEC and Third-Party Risk Management
Operational resilience and corresponding third-party risk management in the United States is not regulated by direct regulation and instead is managed via policy. The Federal Financial Institutions Examination Council (FFIEC) is an interagency body that has been empowered to establish guidelines as well as uniform principles and standards for the federal examination of financial institutions. The FFIEC has provided guidance on specific topics of interest to field examiners that set forth uniform principles and standards for financial institutions. The handbooks that the FFIEC has authored cover many subjects, including audit, business continuity planning (BCP), information security, outsourcing technology services, and other topics.
Some of the handbooks that are of interest to Fusion’s customers are:
- The FFIEC Business Continuity Booklet – This resource provides an enterprise-wide approach to address technology, business operations, testing, and communication strategies that are critical to the continuity of a business. The handbook sets forth principles and best practices for information technology (IT) and operations teams that are designed to achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.
- The IT Examination Booklet – While the direct scope of its requirements applies to regulated financial institutions, it is also useful for technology and data service providers, along with other third parties that work closely with financial institutions, to understand the control frameworks. This can help them withstand scrutiny, meet financial services audit requirements, and position themselves as able.
The OCC Bulletins: 2013-29 and 2020-10
The Office of the Comptroller of the Currency (OCC) is the U.S. Department of Treasury’s independent regulatory authority. The OCC is responsible for chartering, regulating, and supervising all national banks, federal savings associations, and federal branches and agencies of foreign banks. The OCC’s mission is to ensure that entities under its wing operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and adhere to all applicable laws and regulations.
The OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance document was issued on October 30, 2013. It sets the expectation that banks effectively manage risk regardless of whether the bank performs the activity internally or through a third party. The document takes a risk-based approach to managing third parties by both the level of risk and complexity of the relationship and has provisions for initial due diligence, on-going monitoring, and good governance procedures that include management accountability.
The OCC Bulletin 2020-10 rescinded OCC Bulletin 2017-21 and was published on March 17, 2020. This is a document that provides clarification on the original bulletin in the form of an FAQ (Frequently Asked Questions).
Entities that are not directly regulated by the OCC should take note of these requirements if they sit within the Financial Services Value Chain, as the requirements can be passed down via contractual obligations.
U.S. SEC Rules for Cyber Disclosure
The United States Securities and Exchange Commission (SEC) regulates reporting by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934. In response to increasing reliance on third-party technology and data service providers along with an increase in the frequency and severity of cyberattacks, the SEC has prepared a proposal on cybersecurity disclosures. The proposal is expected to be adopted as is in the second half of (H2) 2022.
The proposal would:
- Require current reporting about material cybersecurity incidents on Form 8-K
- Require periodic disclosures regarding, among other things:
- Policies and procedures to identify and manage cybersecurity risks
- Management’s role in implementing cybersecurity policies and procedures
- The board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk
- Updates about previously reported material cybersecurity incidents
- Require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language (XBRL)
Disclosures would be subject to criminal prosecution for making intentionally false statements or materially misrepresenting facts.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA’s goal is to ensure that sensitive protected health information (PHI) is not improperly disclosed without a patient’s consent. The scope of HIPAA is narrow compared to some of the other privacy regulations and applies to defined covered entities such as health plans, healthcare clearing houses, and certain healthcare providers. It can also apply to business associates, which are defined as third parties that have access to PHI.
HIPAA includes a Privacy Rule that establishes limits and conditions on the uses and disclosures of PHI as well as a Security Rule that establishes guardrails for organizations that hold and store electronic PHI.
Organizations that process and store PHI should be aware of HIPAA and keep in mind that HIPAA’s security role can have overlapping controls within certain information technology (IT) security frameworks. In the context of operational resilience, it is important for organizations to identify third-party vendors who may process or store customer PHI to ensure that the appropriate controls are implemented to protect such data. Organizations should also be sure to consistently update their incident response plans to guarantee that HIPAA’s breach notification requirements are met in the event of an incident.
The Graham Leach Bliley Act (GLBA)
The GLBA was passed by the United States Congress in 1999 and went into force in 2001. It tackles consumer privacy in financial institutions, amongst other things. The requirements include providing notifications to customers about information sharing practices and providing “opt-out” rights for consumers for information sharing with certain third parties. Additionally, entities that receive consumer financial information from a financial institution may be restricted to reuse and disclosure that information.
The Federal Trade Commission (FTC) could bring enforcement actions for violations of the Privacy Rule by filing in federal district court where it has the power to seek injunctive and equitable relief. The FTC can also audit privacy policies and practices for deception and unfairness.
Several of the safeguarding provisions overlap with controls in other IT security and data privacy frameworks. In the context of operational resilience, it is important for customers to understand how the rule applies to critical business services and third parties with whom consumer financial data is shared.
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) was a first-of-its-kind legislation in the United States. It provides similar protections to the General Data Protection Regulation (GDPR), since it regulates how businesses can collect and use personal data of California residents. The CCPA provides requirements such as the right of notice, the right to delete personal information (with certain exceptions), opt-out rights, and the right to non-discrimination for exercising rights under the CCPA.
The scope is limited and applies only to those companies who are doing business within California that meet any of the following requirements: have a gross annual revenue greater than $25 million; that buy, receive, or sell personal information of 50,000 or more California residents, households, or devices; or that derive 50% or more of their annual revenue from selling California residents’ personal information.
Like some of the other privacy requirements, it is helpful for customers to be aware of which important business services and third parties support or have access to California residents’ personal information to ensure the appropriate risk controls, continuity plans, and incident response plans are in place.
The OCC Sound Practices on Operational Resilience
The United States has taken a different approach to operational resilience. In October 2020, the U.S. regulators issued non-binding guidance on sound practices for operational resilience, including cyber resilience. The guidance directly applies to U.S. banking organizations with: (a) $250 billion or more in total assets or (b) $100 billion in total assets and $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.
The regulators note that the guidance does not revise existing precedent or impose new requirements but rather draws from existing regulations and standards. Like many other direct operational resilience requirements, it covers the concept of governance, operational risk management, business continuity management, third-party risk management, scenario testing, cyber risk management, and surveillance and reporting.
It is possible that this guidance will undergo further refinement and that the U.S. regulators and legislatures may eventually take a similar approach to other global operational resilience requirements.