On October 19, the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (the Agencies) issued an advance notice of proposed rulemaking (ANPR) seeking to enhance cyber risk management standards at large financial institutions via implementation of nearly 80 separate cybersecurity-related requirements.1
The ANPR, which solicits public comment on 39 multi-part questions,2 was issued four weeks after the New York State Department of Financial Services (NYDFS) proposed its own rule requiring New York statelicensed entities to adopt specific cybersecurity protections (NY Proposal).3 While the ANPR solicits comment, the NY Proposal is scheduled to become effective in January 2017.
Although both the ANPR and NY Proposal would heighten regulatory expectations and require covered institutions to enhance controls to manage cybersecurity risks, the proposals differ significantly in approach. The ANPR sets forth a more fluid, principles-based framework of cybersecurity controls, whereas the NY Proposal details specific, proscriptive cybersecurity requirements for covered institutions. The ANPR envisions a rule requiring covered financial institutions to incorporate cybersecurity controls in all aspects of their existing risk management procedures, allowing them to customize compliance approaches. In contrast, the NYDFS rule would require covered entities to implement specific technologies and actions to contain cybersecurity risks, and imposes a significantly more rigorous and aggressive compliance regime.