A new set of federal banking regulations are on the horizon aimed at helping financial institutions put in place minimum compliance standards to prevent future cyber-attacks.
Bloomberg Law has reported that the Federal Reserve, along with the Office of the Comptroller of Currency (“OCC”) and the Federal Deposit Insurance Corp. (“FDIC”), are working together to develop the standards. While these agencies have not yet issued a public statement regarding the initiative, it should come as no surprise that federal mandates might be forthcoming. At least one regulatory body – the Commodity Futures Trading Commission (“CFTC”) – has already proposed regulations for enhanced cybersecurity testing for derivatives firms to ensure appropriate protective mechanisms are in place.
Over the last few years, we have seen a drastic increase in the frequency and severity of cyber-attacks, including in the financial sector. In March 2016, the Bangladesh central bank’s security was breached, enabling hackers to steal approximately $81 million dollars. During that heist, hackers infiltrated the bank’s financial messaging service – Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) – by remotely sending messages authorizing transfers and payment instructions. As we considered the Lessons Learned from the Bangladesh central bank’s heist in our April 2016 blog post, we highlighted the need for increased security protocols. Federal regulators, it seems, are on the same page.
The news of a potential new federal mandate comes approximately one month after the Federal Financial Institutions Examination Council (“FFIEC”) issued a cybersecurity statement urging financial institutions to review risk-management practices and controls. The FFIEC is an interagency body comprised of The Board of Governors of the Federal Reserve System, FDIC, OCC, Consumer Financial Protection Bureau, National Credit Union Administration, and State Liaison Committee.
So what should financial institutions expect? More changes but not overnight. New federal regulations are subject to a notice and public comment period – which will likely take us into 2017.