2021 Regulatory Year in Review

Cybersecurity remains a Top Concern for Regulators

Last year, an increase in cybersecurity risks spurred the government to issue multiple regulatory releases regarding information technology. And since the trend doesn’t seem to be slowing, expect to see more releases from regulators about technology issues in 2022.

Let’s review the highlights published in 2021:

The year started with the an emphasis on the importance of implementing and maintaining effective cybersecurity controls. This led regulators to issue a guidance update announcement. Can you imagine what how technology changes have happened has changed in the 17 years since the Operations booklet was first published?

• January 2021 Joint Statement on Heightened Cybersecurity Risk ¹
• June 2021 Updated FFIEC IT Examination Handbook – Architecture, Infrastructure, and Operations Booklet ²

Regulators are also placing more focus on third-party vendors along with the risk management and due diligence that goes into that partnership.

• July 2021 Proposed Interagency Guidance on Third-Party Relationships: Risk Management ³
• August 2021 Conducting Due Diligence on Financial Technology Companies ⁴

The number of remote connections rose exponentially in 2020, leading to published guidance on authentication and access in 2021. This is referencing the need for, and use of, Multifactor Authentication (MFA) across different platforms for institutions and customers alike.

• August 2021 Authentication and Access to Financial Institution Services and Systems ⁵

The year is rounded up with advisories published by both OFAC and FinCEN addressing the risks of facilitating ransomware payments. This is due to the rise in popularity in virtual currencies.

• November 2021 FinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments ⁶

Lastly, the FDIC has presented a firm timeline on when institutions are to notify their regulators of a computer security incident: No more than 36 hours after the incident is detected. Also, the institution’s vendor(s) are to notify the institution as soon as possible of a confirmed event. This may be addressed in contract or other official documentation.

• November 2021 Computer-Security Incident Notification ⁷

Looking ahead: In 2022, keep an eye out for a continued and increased focus on business continuity testing and documenting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). Also, expect increased focus on vendor relationships. Is it only the third party or are there hidden fourth- and possibly fifth-party vendors to consider? In any instance, you should work to implement sound cybersecurity procedures and mitigate cybersecurity threats.

1 https://www.fdic.gov/news/financial-institution-letters/2020/fil20003a.pdf
2 https://ithandbook.ffiec.gov/media/402799/ffiec_itbooklet_aio.pdf
3 https://www.fdic.gov/news/financial-institution-letters/2021/fil21050.html
4 https://www.fdic.gov/news/press-releases/2021/pr21075a.pdf
5 https://www.fdic.gov/news/financial-institution-letters/2021/fil21055a.pdf
6 https://www.fincen.gov/sites/default/files/2021-11/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf
7 https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html