Cybersecurity 2025

USA Law and Practice Contributed by: Beth George, Timothy Howard, Brock Dahl and Megan Kayo, Freshfields

• any business line of a banking organi[s]ation, including associated operations, services, functions and support, [where this] would result in a material loss of revenue, profit, or franchise value; or • operations of a banking organi[s]ation, including associated services, functions and support, as applicable – the failure or discon - tinuance of which would pose a threat to the financial stability of the United States”. Financial institutions must notify their primary regulator as soon as possible and no later than 36 hours after the financial institution determines that a notification incident has occurred. Each prudential regulator has designated their own points of contact for notification, available on each prudential regulator’s website. 3.4 Operational Resilience Enforcement Enforcement of the laws and regulations described in 3.1 Scope of Financial Sector Operational Resilience Regulation begins with the supervisory and examination authority of the prudential regulators. For financial institu - tions, cybersecurity risks are assessed during the course of a full-scope, on-site examina - tion as part of the financial institution’s routine supervisory cycle or during a specialty examina - tion, such as an IT examination. The prudential regulators have the authority to supervise TSPs, as described in 3.2 ICT Service Provider Con- tractual Requirements , and TSPs are examined based on their risk level as calculated using an URSIT rating. The examinations of TSPs focus on issues such as management of technology, integrity of data, and confidentiality of informa - tion. Financial institutions are entitled to copies of the Report of Examination (ROE) of a TSP with which they have a contract.

Cybersecurity control deficiencies are generally not subject to public enforcement actions by prudential regulators unless the financial insti - tution is subject to a major cybersecurity breach. Instead, the prudential regulators may issue a “matter requiring attention” (MRA), a “matter requiring immediate attention” (MRIA), or – in the case of the FDIC – a “matter requiring board attention” (MRBA), which are confidential super - visory findings that require the financial institution to take corrective action. The board of directors is expected to respond to MRAs, MRIAs, and MRBAs through written responses and progress reports, and the prudential regulators will con - tinue to monitor corrective action until resolved. If the corrective action is not satisfactory to the prudential regulators, MRAs and MRIAs could lead to further formal or informal investigation or enforcement action. Formal enforcement actions may take the form of cease-and-desist orders, civil monetary penalty orders, or other actions. 3.5 International Data Transfers The primary US restrictions on data transfers are not specific to the financial sector but apply more broadly to a range of identified transaction categories. The restrictions were established via Executive Order 14117 (2024) and implement - ed via DOJ regulation at Title 28, CFR 202.101 et seq and restrict the transfer of certain cat - egories of bulk sensitive data and government information to identified countries of concern. The executive order also identifies certain con - trol measures for defined categories of sensitive transactions that are not outright forbidden. 3.6 Threat-Led Penetration Testing While other jurisdictions have implemented cyber-resiliency stress testing as part of their supervisory and review process, the USA does not have an equivalent required scenario stress test. Instead, financial institutions are encour -

354 CHAMBERS.COM

Powered by