In January 2021, the Federal Reserve Banks implemented what is now known as the Security and Resiliency Assurance Program (“Assurance Program”). This program outlines new compliance requirements for organizations that use FedLine® Solutions by the end of the 2022 calendar year.
This article outlines everything you need to know about this new program.
What Is the Assurance Program?
The Security and Resiliency Assurance Program, implemented by the Federal Reserve Banks in January 2021, outlines new requirements for financial organizations that use FedLine Solutions. According to the Federal Reserve, these organizations will have to:
- Conduct a self-assessment of its compliance with the security requirements.
- If required by the Federal Reserve Banks, ensure the self-assessment is conducted or reviewed by an independent internal function or third party. This information will be included in the body of the Assurance Program email, if required.
- Attest that the self-assessment was completed by having a senior management official or executive officer, in charge of electronic payments operations or payments security for the organization, sign the provided attestation letter.
The Security Requirements for the self-assessment can be found in Appendix B of the FedLine Security and Resiliency Assurance Program Guide. According to the Federal Reserve, “For the purposes of the Assurance Program, the FedLine Security Requirements must be sufficiently within the scope of the SOC review to enable an organization to in good faith complete the attestation.”
All financial institutions’ End User Authorization Contacts (EUACs) should have received their attestation materials at the end of February 2022. Once receiving the materials, the requirements of this program must be completed by December 31, 2022. Additionally, after 2022, these requirements must be completed on a continued annual basis.
Why You Should Care
Security isn’t just the responsibility of the cybersecurity teams and individuals. Due to the sensitivity of the data they hold, financial institutions are a high-valued target for threat actors and will continue to be a target due to the nature of their business. Because of this, the Federal Reserve Banks made putting together the Assurance Program a high priority.
Financial institutions are responsible for securing sensitive customer data, also known as Personally Identifiable Information (PII), and have been heavily regulated in protecting that data for some time through regulations like GLBA (Gramm-Leach-Bliley-Act). FedLine Solutions are one specific component of the U.S. electronic payments system that many financial institutions use for direct access to Federal Reserve Bank Services, such as electronic payments or exchange of relevant information. Because of the critical and extra sensitive nature of these services, the FRB has stepped up the assurance requirements necessary.
Because these institutions have access to, and exchange, such sensitive information through FedLine Solutions, the Assurance Program was created to mirror industry best practices, such as the National Institute of Standards and Technology (NIST) and the Federal Financial Organizations Examination Council (FFIEC) standards. These best practices aim to serve as a benchmark for holistic risk management for financial institutions.
Assurance Program Requirements
While many financial institutions may already understand the importance of prioritizing cybersecurity within their organizations, the requirements outlined by the Assurance Program are not to be taken lightly. If any financial institution fails to complete the requirements of this program by December 31, 2022, there will be consequences.
According to the Federal Reserve, “Failure to submit an attestation by the due date is a violation of Operating Circular 5 that could result in the Reserve Banks taking any of the actions set out in section 7.1 of Operating Circular 5”. According to section 7.1, this means the annulment of the Electronic Access Agreement which would result in the termination of electronic connection to the Federal Reserve Banks. This would greatly affect day-to-day business operations, resulting in customer disruption.
Five Steps to Get Started
While the end of the year is still months away, it will be here before we know it. Do not wait until the last minute to start completing the requirements of the Assurance Program.
To get started, follow the steps below:
- Contact your EUAC to review the attestation materials. Each organization identifies an EUAC to be the point of contact during this process. The Federal Reserve Banks should have sent your organization’s EUAC the required attestation materials by the end of February 2022. Review them to identify which security requirements apply to your organization.
- Perform the assessment. Once the attestation materials have been reviewed, perform the security assessment. Please note, the applicable controls and requirements for the assessment will differ between each organization based on how the institution uses FedLine solutions.
- Identify gaps. During your assessment, identify areas where security controls are lacking or could be improved. Knowing where your organization stands regarding security best practices is the first step to improvement.
- Develop a roadmap. Based on the findings of your assessment, your organization should develop a roadmap to address and remediate any gaps that were identified to improve your organization’s overall security posture.
- Submit your attestation. Once your assessment has been completed, your organization must electronically sign to verify that the Assurance Program has been completed.
In today’s world, it seems like there’s a never-ending list of requirements and recommendations aimed at protecting your organization against breaches and vulnerabilities. The Assurance Program is another line in the defense for financial institutions that carry some of our most sensitive data.
For more answers to commonly asked questions regarding the Assurance Program, please visit Frequently Asked Questions.