Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

3.3 Key Operational Resilience Obligations

number of financial institutions or for higher-risk applications in larger financial institutions (such as software packages for use in wire transfer, capital markets, or securities transfer). Contractual Requirements Although the prudential regulators have authority to supervise TSPs, financial institutions remain primarily responsible for ensuring that TSPs’ activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, and face liability for breaches or violations by a TSP. As such, financial institutions are expected to have robust third-party risk man - agement processes, including contract develop - ment and ongoing monitoring. As described in the TSP Booklet, contracts between financial institutions and TSPs should include the follow - ing: • the right to audit and conduct business conti - nuity planning (BCP) testing; • measurable service-level agreements (SLAs) for services being provided; • default and termination provisions; • the need for data security and confidential - ity to, at a minimum, adhere to US regulatory standards (for foreign-based service provid - ers); • clear definitions of data ownership and han - dling expectations; • the ability to request information describ - ing a TSP’s response to relevant regulations, supervisory guidance, or other notices from federal banking agencies; • incident response and notification responsi - bilities; and • the extension of contractual terms to subcon - tractors.

Financial institutions are required to maintain risk management systems that are proportional to the size and complexity of their organisation (known as “tailoring”). Given that risk manage - ment is institution-specific, regulators have not established any processes and controls for cybersecurity risk that are required, but the reg - ulatory guidance and FFIEC manuals described in 3.1 Scope of Financial Sector Operational Resilience Regulation provide standards and best practices to comply with regulators’ objec - tives. The Joint Statement, described in 3.1 Scope of Financial Sector Operational Resil- ience Regulation , summarises the elements of effective cybersecurity controls as: • “response and resilience capabilities” – review, update and test incident response and business continuity plans; • “authentication” – protect against unauthor - ised access; and • “system configuration” – securely configure systems and services. Incident and Reporting Obligations The prudential regulators issued a rule, effective as of April 2022, requiring financial institutions to notify their primary regulator of any computer security incidents that rise to the level of “notifi - cation incidents”. The final rule defines a “noti - fication incident” as a computer security inci - dent that the financial institution believes could “materially disrupt, degrade, or impair”: • “the ability of the banking organi[s]ation to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

353 CHAMBERS.COM

Powered by