In the midst of growing concerns over cyber-attacks on U.S. companies, federal banking regulators announced a proposal to enhance and standardize cyber risk management standards across the banking industry. The Advance Notice of Proposed Rulemaking (ANPR) was jointly issued by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) on Wednesday, October 19, 2016.
The proposal details a planned regulatory scheme intended to help ensure resiliency in the face of a cyber-attack or adverse IT event, and to provide a practical framework for mitigating the potential consequences of an IT systems failure.
The proposed rules will apply to large financial institutions and "interconnected" entities that support operations throughout the information life cycle. Different tiers of restrictions will be developed depending on how critical a "covered entity" is to the financial institution’s ability to function. Rather than issuing a comprehensive set of rules, the proposal leaves many questions for industry stakeholders, who will have an opportunity to shape the potential rules during the public comment period, which closes on January 17, 2017.
Principles of the Proposal
The proposal sets out the following principles that could dramatically expand the reach of financial industry regulators in the area of cybersecurity risk.
Expanded applicability to financial institutions
The proposed rules are intended to apply to financial institutions that are critical to the financial sector, banking organizations with total consolidated assets of $50 billion or more, and third-party service providers. These standards apply enterprise-wide at covered entities. The regulation, however, will not apply to community banks.
Expanded applicability beyond financial institutions
Third-party service providers would have to comply with the same standards as covered entities. The intention is to help ensure the proposed standards are consistent across the IT systems of covered entities regardless of whether components of IT operations are performed in-house, by affiliates or by third-party service providers.
Tiered approach depending on criticality to the financial sector
Two sets of standards may be developed. The first set of enhanced standards would apply broadly to all systems of covered entities, and the second set of heightened "sector-critical standards" would apply to entities that pose a high level of risk to large institutions or are critical to the entire industry.
Sector-critical entities may have to significantly bolster security controls and incident response plans
There may be heightened requirements to implement and operationalize cybersecurity controls.
- These entities may be required to establish a two-hour Recovery Time Objective (RTO) from a cyber event, and to validate the RTO with testing.
- These enhanced obligations would apply to third parties with operations that supply “sector-critical” services.
Categories of standards will be issued
The framework established by the proposed rules will consist of the following categories of controls:
- Cyber risk governance
- Cyber risk management
- Internal dependency management
- External dependency management
- Incident response, cyber resilience and situational awareness.
Impact of the New Regulations
This ANPR follows closely on the heels of a recently proposed New York State law that would require banks, insurance companies and other financial services institutions regulated by the State Department of Financial Services (DFS) to establish and maintain a cybersecurity program. The impact of these new regulations will certainly extend to companies that were previously not subject to stringent cybersecurity regulations. The final form has yet to be issued, but there is no doubt that regulators are paying closer attention than ever to cybersecurity and privacy.