U.S. banking regulators this week unveiled a proposal to enhance cybersecurity risk-management and resilience standards for the largest banks and their interconnected entities.
The proposed joint standards by the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency would apply to depository institutions and depository institution holding companies with assets of $50 billion or more, U.S. operations of foreign banking organizations with U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve.
The enhanced standards would not apply to community banks. Comments are due Jan. 17, 2017.
The proposed rule addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.
The agencies said they are considering the implementation of the enhanced standards in a “tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.”
Financial institutions and consumers, the agencies said, “have become increasingly dependent on technology to facilitate financial transactions,” just as the largest, most complex financial institutions “rely heavily on technology to engage in national and international banking activities and to provide critical services to the financial sector and the U.S. economy.”
“As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the banking regulators said.
Recovery strategies, the regulators said, should include the establishment of recovery time objectives. The agencies said they are considering a requirement that covered entities under the rule set up a recovery time of two hours for their sector-critical systems, validated by testing, to recover from a disruptive, corruptive, or destructive cyber event.
The test programs, the agencies said, “would include a range of scenarios, including severe but plausible scenarios, and would challenge matters such as communications protocols, governance arrangements, and resumption and recovery practices.”
The regulators are issuing the proposed rule before developing a more detailed proposal for consideration, and are seeking comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector.
Originally published on Law.com. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
