On Thursday, October 20, the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation jointly issued an advance notice of proposed rulemaking, requesting comments on enhanced cybersecurity standards for large banks. As proposed, the rules, which would sit on top of the current regulatory regime, would take a two-tiered approach, with one set of standards applying to all entities and an additional, more stringent set of rules applying to entities with “sector-critical systems” the failure of which could present a systemic risk.
The proposed standards would cover financial institutions with assets of $50 billion or more, as well as financial market infrastructure companies and nonbank financial companies supervised by the regulators. The standards would also apply to third-party services provided to these covered institutions. The regulators are seeking comment on the development of the definition of sector-critical systems, but are considering treating as sector-critical those systems that support 5 percent or more of the value of the transactions in certain markets, including federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity securities, and that support 5 percent or more of the total U.S. deposits.
The regulators also are seeking comment on the exact form the proposed standards would take, ranging from policy statements or guidance to a detailed regulatory framework with specific requirements, or any combination thereof. The regulators intend for the standards to cover the following categories:
(1) Cyber risk governance, which covers the development and maintenance of a formal cyber risk management strategy, and would include requirements that the board of directors and senior management be involved in overseeing and evaluating such a strategy.
(2) Cyber risk management, which is meant to integrate risk management into the responsibilities of at least three independent functions—such as the business units, independent risk management, and the audit function—with appropriate checks and balances. This category would include requirements that an independent risk management function report directly to the chief risk officer or the board, and that the audit function incorporate an assessment of cyber risk management into the entity’s audit plan.
(3) Internal dependency management, which covers risks associated with business assets (such as employees, technology, data, and facilities). This category would include requirements that entities maintain an inventory of all business assets prioritized by the assets’ criticality to the business, and that they establish appropriate controls to address the inherent cyber risk of those assets.
(4) External dependency management, which covers risks associated with external relationships with outside vendors and service providers. This category would include requirements that entities maintain a complete awareness of all external dependencies prioritized by their criticality to the business, and that they establish appropriate controls to address the inherent cyber risk of those assets.
(5) Incident response, cyber resilience, and situational awareness, which covers the ability to respond to and recover from disruptions caused by cyber incidents. This category would include requirements that entities establish and implement entity-wide incident response plans as well as protocols for secure offline storage of critical records that would allow for restoration by another institution.
In addition to the universal standards, the regulators laid out possible standards for sector-critical systems, including the requirement that entities minimize the risk to these systems by implementing the “most effective, commercially available controls” and the requirement that entities establish plans that would allow recovery from a cyber event within two hours or less for such systems.
The notice of proposed rulemaking is available here. The comment period is open until January 17, 2017.
