U.S. banking regulators this week unveiled a proposal to enhancecybersecurity risk-management and resilience standards for thelargest banks and their interconnected entities.
|The proposed joint standards by the Federal ReserveBoard, the Federal Deposit Insurance Corp. and the Office of theComptroller of the Currency would apply to depository institutionsand depository institution holding companies with assets of $50billion or more, U.S. operations of foreign banking organizationswith U.S. assets of $50 billion or more, and financial marketinfrastructure companies and nonbank financial companies supervisedby the Federal Reserve.
|The enhanced standards would not apply to community banks.Comments are due Jan. 17, 2017.
|The proposed rule addresses five categories of cyber standards:cyber risk governance; cyber risk management; internal dependencymanagement; external dependency management; and incident response,cyber resilience and situational awareness.
|The agencies said they are considering the implementation of theenhanced standards in a “tiered manner, imposing more stringentstandards on the systems of those entities that are critical to thefunctioning of the financial sector.”
|Financial institutions and consumers, the agencies said, “havebecome increasingly dependent on technology to facilitate financialtransactions,” just as the largest, most complex financialinstitutions “rely heavily on technology to engage in national andinternational banking activities and to provide critical servicesto the financial sector and the U.S. economy.”
|“As technology dependence in the financial sector continues togrow, so do opportunities for high-impact technology failures andcyber-attacks. Due to the interconnectedness of the U.S. financialsystem, a cyber incident or failure at one interconnected entitymay not only impact the safety and soundness of the entity, butalso other financial entities with potentially systemicconsequences,” the banking regulators said.
|Recovery strategies, the regulators said, should include theestablishment of recovery time objectives. The agencies said theyare considering a requirement that covered entities under the ruleset up a recovery time of two hours for their sector-criticalsystems, validated by testing, to recover from a disruptive,corruptive, or destructive cyber event.
|The test programs, the agencies said, “would include a range ofscenarios, including severe but plausible scenarios, and wouldchallenge matters such as communications protocols, governancearrangements, and resumption and recovery practices.”
|The regulators are issuing the proposed rule before developing amore detailed proposal for consideration, and are seeking commentson potential methodologies that could be used to quantify cyberrisk and to compare cyber risk at entities across the financialsector.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Melanie Waddell
Melanie is senior editor and Washington bureau chief of ThinkAdvisor. Her ThinkAdvisor coverage zeros in on how politics, policy, legislation and regulations affect the investment advisory space. Melanie’s coverage has been cited in various lawmakers’ reports, letters and bills, and in the Labor Department’s fiduciary rule in 2023. In 2019, Melanie received an Honorable Mention, Range of Work by a Single Author award from @Folio. Melanie joined Investment Advisor magazine as New York bureau chief in 2000. She has been a columnist since 2002. She started her career in Washington in 1994, covering financial issues at American Banker. Since 1997, Melanie has been covering investment-related issues, holding senior editorial positions at American Banker publications in both Washington and New York. Briefly, she was content chief for Internet Capital Group’s EFinancialWorld in New York and wrote freelance articles for Institutional Investor. Melanie holds a bachelor’s degree in English from Towson University. She interned at The Baltimore Sun and its suburban edition.
