The Federal Reserve Board, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) released joint Advanced Notice of Proposed Rulemaking addressing enhanced cybersecurity standards for financial institutions and third parties that provide services for banks.

What happened

Anticipating that a cyber event at a major, interconnected financial institution could have a ripple effect on other markets beyond the targeted bank, the three federal banking regulators outlined the framework for new Enhanced Cyber Risk Management Standards and sought public comments in anticipation of proposed rulemaking.

The regulators' joint Advanced Notice of Proposed Rulemaking (ANPR) anticipates that banks with $50 billion or more in assets, Fed-supervised nonbank financial companies, financial market infrastructures and financial market utilities, and third parties who provide services to such companies would be required to develop and implement a written cyber risk management strategy encompassing five categories of cyber standards. The ANPR anticipates that community banks with less than $50 million in assets would not be subject to the new rules, but would continue to be subject to existing guidance and standards for the provision of banking services by third parties.

The regulators proposed five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

The cyber risk governance standards would emphasize that the cyber risk management is an enterprise-wide strategy and that cyber risk policies would require the approval of the board of directors or an appropriate committee. Senior management would be accountable "for establishing and implementing appropriate policies consistent with the strategy." Officers with cybersecurity responsibility should have independent access to the board of directors.

Cyber risk management should be integrated into the responsibilities of at least three independent functions (the business unit, independent risk management, and the audit function), according to the ANPR, while internal dependency management should ensure that covered entities identify and manage cyber risks associated with the business assets they depend upon to deliver services.

External dependency management standards would mandate that relationships with external organizations and service providers—vendors and customers, for example—must be evaluated to identify and manage cyber risks, with an eye towards the information flow and interconnections between the parties.

Finally, covered entities would have to ensure that their strategy addresses incident response, cyber resilience, and situational awareness, with plans on how to respond to, contain, and rapidly recover from disruptions caused by cyber events, including preserving data integrity and maintaining operations during cyberattacks.

The regulators anticipate more stringent requirements for systems that are designated "critical to the financial sector," where covered entities would be required to implement the "most effective, commercially available controls" and tasked with the ability to substantially mitigate the risk of a disruption or failure due to a cyber event.

The regulators seek comments on the criteria that the agencies should use to identify the systems critical to the financial sector, whether the agencies should consider broadening or narrowing the scope of entities to which the proposed standards would apply, and how well the proposed standards for incident response, cyber resilience, and situational awareness address the safety and soundness of individual financial institutions, among other questions.

To read the ANPR, click here.

Why it matters

At a time when financial institutions are already facing greater regulatory compliance burdens and increasing costs as they strive to enhance the security of their IT systems, imposing additional regulatory standards will further increase the pressure on financial institutions as they strive to meet the expectations of the Federal Reserve, FDIC, and OCC with respect to prevention and resiliency.

Comments will be accepted on the ANPR until January 17, 2017.