On June 24, 2016, in a response letter to Senator Dean Heller (R-NV), Daniel Tarullo, a member of the Board of Governors of the Federal Reserve System, highlighted the benefits of consistent cybersecurity supervisory examination approaches. Mr. Tarullo noted that “[i]t is clear that the interests of the financial services sector are best served by appropriate regulatory and supervisory coordination,” and that the Federal Financial Institutions Examination Council (“FFIEC”) (of which Mr. Tarullo is chair) has endeavored to “align risk-based approaches to assess cybersecurity and resilience in regulated firms.” Mr. Tarullo was responding to Senator Heller’s March 4, 2016, letter, which asked that Mr. Tarullo and Secretary of the Treasury Jack Lew (in his role as chair of the Financial Stability Oversight Council (“FSOC”)) detail what plans each regulatory entity could take to increase cybersecurity exam coordination. Senator Heller’s letter stressed that current regulatory practices subject firms to examinations by multiple agencies, and that there “appears to be little to no coordination among regulators, resulting in unnecessary duplication.” Secretary Lew has not yet responded publicly.
In his response, Mr. Tarullo also emphasized that the FFIEC seeks to promote “uniformity and consistency in the examination of financial institutions.” He noted that the FFIEC’s member firms have developed a common assessment tool and supervisory expectations to help financial institutions “identify their risks and assess their cybersecurity preparedness.” Mr. Tarullo also stated that through the Financial and Banking Information Infrastructure Committee, federal and state regulators (including all members of the FFIEC) “engage regularly on cybersecurity issues and have taken steps to prompt financial services sector companies to mitigate risks to the financial system posed by malicious cyber activities.”