In the wake of recent cyberattacks on major financial institutions in the U.S. and abroad, three federal banking regulatory agencies are proposing new, stricter cybersecurity standards on the nation’s largest depository institutions and holding companies.
The Federal Reserve Board, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency announced proposed new rules for those institutions with total U.S. assets of $50 billion or more, according to an Oct. 19 joint news release by the three entities.
The agencies issued an advanced notice of proposed rulemaking and will accept comments until Jan. 17.
“As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks,” the proposed rulemaking notice stated. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”
The notice further stated that a cyberattack on one or more of these entities also could significantly impact “the safety and soundness” of the entire U.S. financial sector.
The proposal is in its early stages and does not outline how the regulations would be enforced. However, it does indicate the agencies are considering “implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.”
The cybersecurity standards will address five key areas:
• Cyber risk governance, which would require that entities create a written, board-approved, cyber risk management strategy;
• Cyber risk management, which would mandate a risk-management audit;
• Internal dependency management, which would require continued assessment and improvement of cyber risk strategies;
• External dependency management, which would mandate the generation of an accurate listing of cyber risks associated with outside partners; and
• Incident response, cyber resilience and situational awareness, which would establish mandatory recovery times and strategies if a cyberattack occurs.
Banks initially seemed supportive of the of the new cybersecurity plan, but want to see more details regarding enforcement.
“Generally speaking, a lot of what we’ve seen within the document … are things which our largest financial institutions already have under way,” Doug Johnson, senior vice president and chief adviser in payments and cybersecurity policy at the American Bankers Association, said in an Oct. 19 online article published in the American Banker magazine. However, he added in the article that financial institutions will need some “level of flexibility,” if the proposed rules are enforced.
The American Bankers Association “supports a broad framework that harmonizes existing regulations but argues against strict requirements,” according to an Oct. 19 article by Aaron Gregg in the Washington Post.
To learn more about the notice of proposed rulemaking, click here.