OFR_2016_Financial-Stability-Report

Recommendations

Info

The industry is working with the public sector to build resilience — in this case, the ability to quickly respond to cybersecurity threats and recover from cyber incidents (see Figure 45). One program is developing a platform that companies can use to share threat intelligence (see DTCC, 2015). That program is called Soltra. It is run by a partnership of the Depository Trust & Clearing Corp., which, through its subsidiaries, provides clearing and settlement services to the financial markets, and the Financial Services – Information Sharing and Analysis Center. Industry, government, and academia also held exercises to improve the readiness of the financial services industry to respond to systemwide incidents, known as the Quantum Dawn series (see Deloitte and SIFMA, 2015). Other government-run simulations for enhancing communication, collaboration, and response are the Hamilton series of exercises and international work with the U.K. through Operation Resilient Shield (see Treasury and HM Treasury, 2015; Waterman, 2016). Stances of U.S. Financial Regulators Vary U.S. regulators clearly recognize the threat of cyber incidents to financial firms. Regulators have placed more emphasis on cybersecurity threats in their public statements and in guidance to the financial institutions they supervise. Regulators have progressed in developing specific assessment standards and in setting enforceable regulatory expectations on cybersecurity. They have begun incorporating those standards into their work by Figure 45. Major Public and Private Groups Addressing Cyber Risks Organization Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC) Financial and Banking Information Infrastructure Committee (FBIIC) Financial Services – Information Sharing and Analysis Center (FS-ISAC) Description Group of trade associations, financial utilities, and financial companies that works with the public sector on policy issues related to resilience and response to cybersecurity issues, natural disasters, and terrorism. Group of federal and state financial regulators created after the 9/11 attacks to improve coordination and communication among regulators, enhance resilience of the financial sector, and promote public-private partnerships. Nonprofit center that provides member financial services firms with anonymous, global information sharing about cyber and physical threat intelligence. Source: OFR analysis 44 2016 | OFR Financial Stability Report
setting benchmarks. Figure 46 lists key U.S. financial regulatory guidance and standards on cybersecurity. These regulatory approaches reflect different priorities. Risk profiles differ among financial institutions. Regulators’ statutory authority varies. Bank regulators conduct IT examinations that factor cybersecurity preparedness into stress testing, resolution planning, and safety and soundness supervision. The IT standards reach beyond banks to third-party vendors and contractors that provide key services to the same extent as if they were performed by the bank itself on its own premises (see U.S. Congress, 2010). The regulators also introduced a Cybersecurity Assessment Tool in June 2015 that banks may voluntarily use to assess their risk and cybersecurity preparedness (see FFIEC, 2015). The tool supplements existing standards for examining banks’ IT management. It establishes a measurable process that banks can use to assess their preparedness across several types of risk over time. However, the tool on its own is not an enforceable standard. More recently, the Federal Reserve, OCC, and FDIC issued a proposed rule in October 2016 to establish enhanced cybersecurity standards for large financial institutions. The proposed rule would apply to banks with assets greater than $50 billion, nonbank financial institutions that are designated by FSOC and subject to Federal Reserve supervision, financial market utilities, and third-party service providers. The proposed rule sets enforceable standards for governance and management of cybersecurity risks. It also sets expectations for resilience and recovery from cybersecurity incidents (see Board of Governors, OCC, and FDIC, 2016). The SEC’s Regulation SCI mandates corrective action by covered firms (including registered clearing agencies, alternative trading systems, and plan processors) if there is a cybersecurity or other operational risk event (see SEC, 2015). It came into effect in November 2015. Regulation SCI focuses on assessing the business continuity and disaster recovery abilities of firms. It aims to assure recovery within two hours after an incident for critical systems such as clearing and settlement. The regulation also requires prompt notice of an event. However, compared with bank regulators, the SEC has more limited authority over third-party vendors that sell services to its regulated firms (see FSOC, 2016b). The SEC has also issued a draft rule that would set cybersecurity expectations for investment advisers in the context of business continuity planning. In contrast with other regulators, insurance regulators focus on securing customer data. Criminals have targeted customer records in several hacks on health insurance firms. The National Association of Insurance Commissioners is concerned that more breaches of customer data could reduce confidence in the industry. Customers could withhold certain information from insurers, which would hurt the ability of insurers to assess risk. Regulators are starting baseline cybersecurity assessments of insurers. They Regulators have progressed in developing specific assessment standards and in setting enforceable regulatory expectations on cybersecurity. These regulatory approaches reflect different priorities. Risk profiles differ among financial institutions. Regulators’ statutory authority varies. Key Threats to Financial Stability 45
Page 1: OFFICE OF FINANCIAL RESEARCH 2016 F
Page 5: Contents Executive Summary ........
Page 8 and 9: Chapter 2 provides deeper analysis
Page 10 and 11: of sharp decreases in U.S. equity a
Page 13 and 14: 1 Financial Stability Assessment Ov
Page 15 and 16: Figure 3. Real GDP Growth (year-ove
Page 17 and 18: Figure 8. Ten-Year U.S. Treasury Yi
Page 19 and 20: Monitoring Shadow Banking Risks The
Page 21 and 22: An earlier OFR paper proposed an ac
Page 23 and 24: Figure 17. Size, Liquidity, and Con
Page 25: Figure 19. Top Systemic Risk Scores
Page 28 and 29: The analysis pointed to seven key t
Page 30 and 31: could. In early 2016, investor conc
Page 32 and 33: earnings or share issuance. But red
Page 34 and 35: Fund Monitor, the OFR assessed expo
Page 36 and 37: 2.2 Risks in U.S. Nonfinancial Corp
Page 38 and 39: Figure 31. U.S. Nonfinancial Corpor
Page 40 and 41: Figure 36. U.S. Corporate Bond Defa
Page 42 and 43: Commercial Real Estate Prices Have
Page 44 and 45: 2.3 Cybersecurity Incidents Affecti
Page 46 and 47: Hackers Breach Bangladesh’s Centr
Page 48 and 49: Figure 42. Banks that Include an Op
Page 52 and 53: Figure 46. U.S. Financial Regulator
Page 54 and 55: 48 2016 | OFR Financial Stability R
Page 56 and 57: eleased the results of an unprecede
Page 58 and 59: Figure 49. CCP Default Waterfall ($
Page 60 and 61: Figure 50: CCP Ratios and Amounts f
Page 62 and 63: cause more-prudent CCPs to appear m
Page 64 and 65: 2.5 Pressure on U.S. Life Insurance
Page 66 and 67: The experience of Japan’s life in
Page 68 and 69: 2015). These benefits are effective
Page 70 and 71: Figure 55. Life Insurance Securitie
Page 72 and 73: Drivers of Insurers’ Systemic Ris
Page 74 and 75: 2.6 Systemic Footprints of Largest
Page 76 and 77: Interest Rates and Derivatives Expo
Page 78 and 79: Figure 63. Components of U.S. G-SIB
Page 80 and 81: Figure 66. Five-Year Changes to G-S
Page 82 and 83: 2.7 Deficiencies in Data and Data M
Page 84 and 85: Figure 68. Examples of Key Post-Cri
Page 86 and 87: Broader Adoption of Data Standards
Page 88 and 89: Better Regulatory Sharing Needed Th
Page 90 and 91: The U.S. Census Bureau surveys publ
Page 92 and 93: The group will also consider how th
Page 94 and 95: and contracts would be crucial. The
Page 96 and 97: Figure 72. Scaling of Data Validati
Page 99 and 100: Glossary 10-Year, 10-Year Forward R
Page 101 and 102:
Conditional Value-at-Risk (CoVaR) C
Page 103 and 104:
Fire Sale Form N-MFP Form PF Fundin
Page 105 and 106:
Liquidity Risk Liquidity Transforma
Page 107 and 108:
Pension Funded Ratio Pension Risk T
Page 109 and 110:
Stress Test Supplemental Leverage R
Page 111 and 112:
Bibliography Adrian, Tobias, and Ma
Page 113 and 114:
Board of Governors of the Federal R
Page 115 and 116:
www.richmondfed.org/~/media/richmon
Page 117 and 118:
Her Majesty’s Government and Mars
Page 119 and 120:
Paul, Ruma. “Bangladesh hopes to
Page 121:
Zetter, Kim. “That Insane, 18M Ba
show all

OFR_2016_Financial-Stability-Report

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?