Bank regulators are continuing to demand more accountability from corporate leaders when it comes to compliance with cybersecurity safeguards.
In an advance notice of proposed rulemaking issued yesterday, federal regulators are seeking public comment on standards that would require the nation’s biggest banks to bulk up their cybersecurity preparedness and governance. And agency officials made clear that the move is intended to put the responsibility squarely on the shoulders of corporate officers and directors.
The Federal Reserve System, the Federal Deposit Insurance Corporation and Office of Comptroller of Currency have laid out a series of new standards for banks with more than $50 billion in assets and other “systemically significant firms.” The standards would affect several dozen financial institutions and insurance companies.
The point of the new standards – intended to “supplement” current federal bank data security regulation – is to avoid “high impact IT failure and cyberattacks” by creating a framework for cybersecurity governance and management. For example, the covered banks would need to ensure that their boards had “adequate expertise in cybersecurity” and the “ability to maintain access to personnel with such expertise.” The proposal would require banks to implement a cyber risk management plan approved by their boards and integrated into their business strategies at both the enterprise and business-unit levels.
Third-party vendors – outside service providers such as law firms – are also covered by the framework, requiring them to adhere to the same data security requirements as the banks themselves.
A primary concern to the regulators is the interconnectedness of financial institutions and the potential for a daisy-chain effect when there’s a major breach. “As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks,” said the proposal. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”
The public comment period on the proposal closes on January 17, 2017.