Federal banking agencies have extended the comment period on proposed new stricter cybersecurity standards for the nation’s largest banks.
The Federal Reserve Board, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation announced they extended the comment period to Feb. 17 on the advance notice of proposed rulemaking on enhanced cyber risk management standards for depository institutions with more than $50 billion in assets and those entities’ service providers.
Comments were originally due by Jan. 17. The extension of the comment period will “allow interested persons more time to analyze the issues and prepare their comments,” according to a Jan. 13 joint news release by the three agencies.
The proposed new cyber standards will address the following areas:
• Cyber risk governance, which would require that entities create a written, board-approved, cyber risk management strategy;
• Cyber risk management, which would mandate a risk-management audit;
• Internal dependency management, which would require continued assessment and improvement of cyber risk strategies;
• External dependency management, which would mandate the generation of an accurate listing of cyber risks associated with outside partners; and
• Incident response, cyber resilience and situational awareness, which would establish mandatory recovery times and strategies if a cyberattack occurs.
“As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks,” the original notice of proposed rulemaking stated. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”