On October 30, 2020, the US federal banking regulators1 issued guidance on sound practices for the largest US banking organizations to strengthen their operational resilience, including with respect to cyber risk management (the “Guidance”).2 Operational resilience is an organization’s ability to prepare for, adapt to, withstand, and recover from disruptions and to continue operations. Disruptions may come from any type of internal or external operational risk and include technology-based failures, cyber incidents, pandemic outbreaks, and natural disasters.
The practices in the Guidance are characterized as being drawn from “existing regulations, guidance, statements, and common industry standards,” and the regulators maintain that the Guidance does not revise existing precedent or impose new requirements. However, the Guidance blurs the lines between rules, guidance, and supervisory expectations, and, therefore, regulators could expect the largest and most complex banking organizations to enhance operational resilience policies, procedures, and processes and associated control, monitoring, and testing to address the Guidance. Additionally, the Guidance blends concepts from different areas of banking law and, therefore, could be characterized as requiring organizations to reorganize compliance structures to coordinate activities that were previously conducted in silos.