Bank Regulators Issue Joint Statement on Heightened Cybersecurity Risk

Financial institutions of all sizes should be prepared for a worst-case scenario.

In light of the increasingly heightened cybersecurity risk environment facing the financial services industry and other critical business sectors, on January 16, 2020, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation issued a Joint Statement on Heightened Cybersecurity Risk (the Joint Statement) to remind supervised financial institutions to implement effective response, resilience, authentication, and system configuration controls that mitigate the risk of successful cyberattacks.

The Joint Statement follows the Department of Homeland Security announcement of heightened risk of cyberattacks hostile to U.S. interests due to increased geopolitical tension and the release of a report by staff of the Federal Reserve Bank of New York warning that a major cybersecurity attack could paralyze the entire U.S. financial system.

The Joint Statement emphasizes that financial institutions of all sizes should be prepared for a worst-case scenario and should have effective business continuity processes for rapid recovery, resumption, and maintenance of operations. According to the Joint Statement, institutions should implement and maintain effective cybersecurity controls protecting financial institutions from malicious activity, especially during this period of heightened risk.

The Joint Statement highlights cybersecurity risk principles previously articulated by the federal banking, consumer and credit union supervisors—including business resilience, authentication, system configuration, security tools, data protection, and employee training—and points out that applying existing cybersecurity risk management principles and risk mitigation techniques reduces the disruption and destruction caused by successful cyberattacks.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.