The U.S. Board of Governors of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency (OCC), and the U.S. Federal Deposit Insurance Corporation (the “Agencies”), released an Advanced Notice of Proposed Rulemaking (“ANPR”) on October 20, requesting comments by January 17, 2017, on enhanced cybersecurity risk management rules for the financial sector, particularly companies that are interconnected with other industries.
The ANPR proposes to apply new and enhanced cybersecurity standards to a giant swath of financial services companies and service providers. The proposal is targeted at U.S. financial sector companies with $50 billion or more in assets or the U.S. operations of a foreign banking organization where the total U.S. assets are $50 billion or more. The ANPR is also targeted at companies whose interconnectedness could result in systemic risk to the financial sector or risk of cybersecurity exposure to external stakeholders. These larger companies would be subject to stringent “sector-critical standards.” In addition, the ANPR would sweepingly apply to not only large banks but also regional banks, credit card companies offering checking or savings accounts, large insurers, transaction clearinghouses, and non-bank financial companies (referred to as “covered entities”) and indirectly to third party vendors and other service providers.
The ANPR deviates from the voluntary and flexible nature of the National Institute of Standards & Technology U.S. Cybersecurity Framework (“Cybersecurity Framework”) as required under Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” issued in February 2013 (“Cybersecurity EO”) and the bipartisan Cybersecurity Enhancement Act of 2014, P.L. 113-274. It ignores the Cybersecurity Framework’s explicit policy of allowing companies to adopt security practices appropriate to their own circumstances.
The ANPR seems to ignore another fundamental goal of the Cybersecurity EO and the Cybersecurity Framework, that of eliminating conflicting and duplicative cybersecurity regulations, rather than creating more of them. The ANPR proposes to make several financial agency guidelines including the U.S. Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool into mandatory standards. U.S. Financial regulators have already come under fire for increasing the cybersecurity regulatory burden on the sector beyond what is required under the Cybersecurity Framework and the ANPR goes even further. The ANPR also mandates many practices already followed by the financial sector (i.e., adoption of a cyber resilience and incident response program, etc.).
The Agencies plan to issue a formalized proposal in the Spring, which stakeholders will have another opportunity to comment on before a final rule is adopted. One wild card in the process is the election of Donald J. Trump as President, which may create an interesting dynamic as this proposal moves forward.