Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

Cybersecurity risks are also addressed in the Interagency Guidelines Establishing Standards for Safety and Soundness (the “Safety and Soundness Guidelines”), which set out broad safety and soundness standards against which financial institutions are evaluated. As with other components of risk management, the prudential regulators expect a financial institution to tailor its cybersecurity risk management system to be proportionate to the size and the complexity of the institution and its risk profile. In 2020, the prudential regulators published interagency guidance on Sound Practices to Strengthen Operational Resilience (the “Sound Practices”), which brought together existing regulations, guidance, statements and common industry standards for operational resilience. Acknowledging cybersecurity risk as “one of the most important types of operational risk”, the Sound Practices include an appendix with sound practices for managing cyber-risk. The Federal Financial Institutions Examination Council (FFIEC) – an interagency body that pro - motes uniformity in the supervision of financial institutions – has also published examination manuals and guidance on cybersecurity risk management, including the FFIEC IT Examina - tion Handbook. Taken together, these rules, statements and guidelines, as well as the FFIEC examination manuals and supplements, provide the pruden - tial regulators’ most current standards regarding managing cybersecurity risk. 3.2 ICT Service Provider Contractual Requirements The Bank Service Company Act grants the pru - dential regulators statutory authority to super - vise certain third parties that provide services

to financial institutions. In the case of IT, these third-party service providers include core appli - cation processors, electronic funds transfer switches, internet banking providers, item pro - cessors, managed security service providers, and data storage service providers. In October 2012, concurrently with the release of the Supervision of Technology Service Provid - ers Booklet (the “TSP Booklet”) of the FFIEC’s IT Examination Handbook (described in 3.1 Scope of Financial Sector Operational Resil- ience Regulation ), the prudential regulators also released the Administrative Guidelines on the Implementation of Interagency Programs for the Supervision of Technology Service Providers. The guidelines describe how technology service providers (TSPs) are assessed for risk using the Uniform Rating System for Information Technol - ogy (URSIT). The URSIT score is used to deter - mine the priority, frequency and extensiveness of the examinations of TSPs. TSPs are considered either significant service providers (SSPs), serv - ing a large number of banks and posing higher risk, or regional service providers (RSPs), serving fewer banks and posing less risk. The Multi-Regional Data Processing Servicer (MDPS) programme is a programme that spe - cifically designates for special monitoring and interagency supervision TSPs that are consid - ered “mission-critical” (vital to the successful continuance of a core business activity) for a large number of financial institutions that are regulated by more than one prudential regulator or provide services through a number of tech - nology service centres located in diverse geo - graphic regions. the prudential regulators also conduct shared application software reviews (SASRs) to review major software packages used by a significant

352 CHAMBERS.COM

Powered by