Banking and Finance Law Daily Agencies propose enhanced cybersecurity standards for big banks
Wednesday, October 19, 2016

Agencies propose enhanced cybersecurity standards for big banks

By Lisa M. Goolik, J.D.

The Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency are seeking comments on proposed enhanced cybersecurity risk-management and resilience standards for large and interconnected entities under their supervision, as well as to services provided by third parties to these financial institutions. The proposed enhanced standards are aimed at "reducing the impact on the financial system in case of a cyber event experienced by one of these entities," said FDIC Chair Martin J. Gruenberg. Comments on the proposed rulemaking are due Jan. 17, 2017.

Increased resilience. While the agencies have existing supervisory programs that contain general expectations for cybersecurity practices at financial institutions and third-party service providers, the enhanced standards would be integrated into the existing supervisory framework by establishing enhanced supervisory expectations for the entities and services that potentially pose heightened cyber risk to the safety and soundness of the financial sector.

The proposed enhanced standards would also be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.

Each agency would apply the enhanced standards to the "largest and most interconnected entities" subject to their jurisdiction—essentially those financial institutions and holding companies with $50 billion or more in total assets—as well as to services provided by third parties to these institutions. The Fed is also considering applying the enhanced cybersecurity standards to financial market infrastructure companies and nonbank financial companies subject to enhanced prudential standards. The proposed enhanced standards would not apply to community banks.

Five categories of standards. The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

Within the categories, the proposed enhanced standards emphasize the need for covered entities to:

  • demonstrate effective cyber risk governance;

  • continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors;

  • establish and implement strategies for cyber resilience and business continuity in the event of a disruption;

  • establish protocols for secure, immutable, and transferable storage of critical records; and

  • maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis.

Sector-critical systems. As noted, the agencies are also proposing a tiered approach that would apply additional heightened standards for "sector-critical systems." The agencies are seeking feedback on which systems should be considered "sector-critical."

The agencies are specifically considering:

  • systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities, and corporate debt and equity securities;

  • systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in other markets (for example, exchange-traded and over-the-counter derivatives), or that support the maintenance of a significant share (for example, five percent) of the total U.S. deposits or balances due from other depository institutions in the United States;

  • systems that provide key functionality to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (for example, due to incompatibility);

  • systems that act as key nodes to the financial sector due to their extensive interconnectedness to other financial entities could have a material impact on financial stability if significantly disrupted; and

  • any services provided by third parties that support a covered entity’s sector-critical systems would be subject to the same sector-critical standards.

Comments. The agencies are seeking comments before developing a more detailed proposal for consideration, and are also asking for comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments should be addressed to:

  • Fed: Robert deV. Frierson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue N.W., Washington, D.C. 20551. Comments should be identified by Docket No. R-1550 and RIN 7100-AE-61.

  • FDIC: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, N.W., Washington, D.C. 20429. Comments should include the agency name and RIN 3064-AE45.

  • OCC: Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 400 7th Street, S.W., suite 3E-218, mail stop 9W-11, Washington, D.C. 20219. Please use the title "Enhanced Cyber Risk Management Standards" to facilitate the organization and distribution of the comments.

Comments may also be submitted electronically through the agencies’ websites or the Federal eRulemaking Portal.

MainStory: TopStory BankingOperations CyberPrivacyFeed FinancialStability IdentityTheft Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More