Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Fed discusses cybersecurity risk management and emerging threats

Privacy, Cyber Risk & Data Security Federal Issues Bank Regulatory Federal Reserve Risk Management Examination

Privacy, Cyber Risk & Data Security

On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report. Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified cybersecurity as a high priority for the Federal Reserve System and Board-supervised institutions and recognized the increasing and evolving nature of cybersecurity threats to the financial system. It delivered an overview of the Fed’s supervisory policies and procedures, which, among other things, require supervised institutions to implement internal controls and information systems appropriate to the size of the institution and to the nature, scope, and risk of its activities. The report explained that examiners’ cybersecurity evaluations consider “the business model and activities conducted by supervised institutions as part of a principles-based supervision program.” According to the Fed, an examination’s scope “is set as part of a multiyear supervisory plan that considers key cybersecurity risks, the industry landscape, and other factors such as emerging technologies.” The Fed explained that as part of these evaluations, “examiners consider business-line controls, risk-management practices, assurance functions, and governance activities performed by the firm’s senior management and board of directors.”

The report also outlined intergovernmental, international, and public and private sector coordination activities, and included a list of recent actions taken by the Fed and other agencies to promote cybersecurity. Additionally, the report discussed current or emerging threats to financial institutions’ ability to operate and protect customer data, including ransomware, sophisticated distributed denial of service threats, increasing geopolitical tensions, and attacks to supply chains or third parties. Other emerging technology-related cybersecurity threats are also discussed including “[p]otential cybersecurity vulnerabilities in fintech applications,” such as cryptocurrency exchanges, banking applications, and other platforms that provide “threat actors an opportunity to steal funds or data by compromising victims’ computer systems or technology infrastructure used to interact with the products or services.”