FRB Reports on Cybersecurity Risk Management

The Federal Reserve Board ("FRB") reported to Congress on cybersecurity risk management practices at financial institutions and efforts to address emerging risk.

In its Report, the FRB reviewed:

• FRB Risk Management Policies and Procedures. The FRB reviewed its supervisory and examinations functions on cybersecurity. The FRB also reported on its ongoing efforts to monitor financial institutions’ cybersecurity risk management and information technology programs. The FRB highlighted its "actions and actions in collaboration with other financial regulatory agencies" including (i) issuing cybersecurity-related regulations and guidance, (ii) collecting data on cyber incidents to monitor trends within the financial services sector and (iii) utilizing a framework based on the standards and guidance provided by the National Institute of Standards and Technology.
• Outsourcing. The FRB highlighted increased risks of malicious cyber activity within the financial sector due to "advanced persistent threats," and an increase in financial institutions’ dependence on third-party service providers.
• Global Coordination. The FRB emphasized its engagement with domestic and international forums on improving the cyber resiliency of the financial services sector, in addition to closely coordinating with regulatory agencies on a global scale to share information and best practices.
• Threats. The FRB said it is continuing to monitor (i) the financial sector’s vulnerability to foreign conflicts due to the interconnectedness of the global financial market, (ii) ransomware groups as they develop their techniques to "monetize cyberattacks and exert maximum pressure on victim organizations" and (iii) insider threats by personnel and through contractual arrangements.