U.S. bank regulators on Wednesday outlined cybersecurity standards designed to protect financial markets and consumers from cyberattacks against the nation’s top financial institutions.
The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve and the Office of the Comptroller of the Currency (OCC) collaboratively issued a notice of proposed rulemaking for enhanced cybersecurity standards.
The proposed Rulemaking entitled Enhanced Cyber Risk Management Standards (ANPR) will address the manner in which banks, financial institutions and affiliates design strategies to prevent cyberattacks, minimize and gauge their risk of a being hacked and respond to an attack.
According to the regulators, the enhanced standards would serve to increase the entities’ operational resilience and reduce the impact on the financial system in the event of a failure, cyberattack, or the failure to implement appropriate cyber risk management.
The enhanced standards would cover five categories:
- Cyber risk governance
- Cyber risk management
- Internal dependency management
- External dependency management, and
- Incident response, cyber resilience, and situational awareness
The enhanced standards would be integrated into the existing IT supervisory framework and will apply to:
- Those U.S bank holding companies, U.S. operations of foreign banking organizations, and U.S. savings and loan holding companies with total consolidated assets of $50 billion or more;
- Non-bank subsidiaries of covered bank holding companies;
- Non-bank financial companies supervised by the FRB pursuant to section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act);
- Financial market utilities (FMUs) designated by the FSOC for which the FRB is the supervisory agency pursuant to sections 805 and 810 of the Dodd-Frank Act;
- Financial market infrastructures (FMIs) over which the FRB has primary supervisory authority:
- FMIs that are operated by the Federal Reserve Banks:
- Depository institutions and any subsidiaries thereof with total consolidated assets of $50 billion or more, under the respective jurisdictions of each of the Agencies; and
- Third-party service providers with respect to services provided to covered depository institutions and their affiliates.
The Agencies are considering application of the enhanced standards to the systems of all covered entities, with higher Sector Critical Standards applying to systems of covered entities that are deemed critical to the financial sector.
The Agencies are considering these three mechanisms for implementing the enhanced standards:
- A regulation requiring entities to maintain a risk management framework for cyber risks, in conjunction with supervisory guidance that describes minimum expectations for the framework;
- A regulation that imposes specific cyber risk management standards; or
- A regulation that would include details on the specific objectives and practices a covered entity would be required to achieve in each area of concern in order to demonstrate that the entity’s cyber risk management program could adapt to changes in the entity’s operations and to the evolving cybersecurity environment.