Just one day after the Federal Financial Institutions Examination Council issued FAQs to help financial institutions utilize FFIEC’s Cybersecurity Assessment Tool, three federal banking regulators issued an Advance Notice of Proposed Rulemaking regarding “Enhanced Cyber Risk Management Standards.”
The rulemaking notice was issued on October 19, 201 by the Federal Reserve Board, the FDIC, and the OCC. A copy of the notice can be found here.
As proposed, the enhanced cybersecurity rules would not apply to community banks, but would apply to any of the following institutions as well as third parties who provide services to these institutions: (1) depository institution and depository institution holding companies with assets of $50 billion or more; (2) US operations of foreign banking organizations with US assets of $50 billion or more; and (3) financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board. These institutions were identified to the extent they provide “key functionality to the financial sector.”
The enhanced rules are being considered based on the reality that technology dependence is growing and the US financial sector is becoming more interdependent. As such, a cybersecurity induced failure of one major institution could impact the safety and soundness of other institutions.
The enhanced rules would fall within five different categories: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. The proposed rulemaking includes 36 questions across the foregoing categories for which comments are being sought.