Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, October 19, 2016

Agencies propose enhanced cybersecurity standards for big banks

By Lisa M. Goolik, J.D.

The Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency are seeking comments on proposed enhanced cybersecurity risk-management and resilience standards for large and interconnected entities under their supervision, as well as to services provided by third parties to these financial institutions. The proposed enhanced standards are aimed at "reducing the impact on the financial system in case of a cyber event experienced by one of these entities," said FDIC Chair Martin J. Gruenberg. Comments on the proposed rulemaking are due Jan. 17, 2017.

Increased resilience. While the agencies have existing supervisory programs that contain general expectations for cybersecurity practices at financial institutions and third-party service providers, the enhanced standards would be integrated into the existing supervisory framework by establishing enhanced supervisory expectations for the entities and services that potentially pose heightened cyber risk to the safety and soundness of the financial sector.

The proposed enhanced standards would also be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.

Each agency would apply the enhanced standards to the "largest and most interconnected entities" subject to their jurisdiction—essentially those financial institutions and holding companies with $50 billion or more in total assets—as well as to services provided by third parties to these institutions. The Fed is also considering applying the enhanced cybersecurity standards to financial market infrastructure companies and nonbank financial companies subject to enhanced prudential standards. The proposed enhanced standards would not apply to community banks.

Five categories of standards. The proposal addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.

Within the categories, the proposed enhanced standards emphasize the need for covered entities to:

  • demonstrate effective cyber risk governance;

  • continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors;

  • establish and implement strategies for cyber resilience and business continuity in the event of a disruption;

  • establish protocols for secure, immutable, and transferable storage of critical records; and

  • maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis.

Sector-critical systems. As noted, the agencies are also proposing a tiered approach that would apply additional heightened standards for "sector-critical systems." The agencies are seeking feedback on which systems should be considered "sector-critical."

The agencies are specifically considering:

  • systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in one or more of the markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities, and corporate debt and equity securities;

  • systems that support the clearing or settlement of at least five percent of the value of transactions (on a consistent basis) in other markets (for example, exchange-traded and over-the-counter derivatives), or that support the maintenance of a significant share (for example, five percent) of the total U.S. deposits or balances due from other depository institutions in the United States;

  • systems that provide key functionality to the financial sector for which alternatives are limited or nonexistent, or would take excessive time to implement (for example, due to incompatibility);

  • systems that act as key nodes to the financial sector due to their extensive interconnectedness to other financial entities could have a material impact on financial stability if significantly disrupted; and

  • any services provided by third parties that support a covered entity’s sector-critical systems would be subject to the same sector-critical standards.

Comments. The agencies are seeking comments before developing a more detailed proposal for consideration, and are also asking for comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments should be addressed to:

  • Fed: Robert deV. Frierson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue N.W., Washington, D.C. 20551. Comments should be identified by Docket No. R-1550 and RIN 7100-AE-61.

  • FDIC: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street, N.W., Washington, D.C. 20429. Comments should include the agency name and RIN 3064-AE45.

  • OCC: Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 400 7th Street, S.W., suite 3E-218, mail stop 9W-11, Washington, D.C. 20219. Please use the title "Enhanced Cyber Risk Management Standards" to facilitate the organization and distribution of the comments.

Comments may also be submitted electronically through the agencies’ websites or the Federal eRulemaking Portal.

MainStory: TopStory BankingOperations CyberPrivacyFeed FinancialStability IdentityTheft Privacy

Back to Top

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.