Three federal banking agencies have announced plans to develop new rules that would establish cyber risk management and resiliency standards for large interconnected entities under the agencies' supervision, as well as those entities' service providers (covered entities). The agencies—The Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—have invited public comment on the advance notice of proposed rulemaking (ANPR). The deadline for submitting comments is January 17, 2017.

Public comments on the ANPR will be used to develop a more detailed proposal to "increase the operational resilience of these entities and reduce the impact on the financial system in case of a cyber event." Financial institutions and service providers that would likely be subject to the upcoming cyber risk regulations should carefully assess the proposed standards and consider whether they wish to submit comments to the discrete questions posed by the federal banking agencies in the ANPR. They also should consider evaluating their current approach to cyber risk management in anticipation of the new rules.

The agencies propose applying the standards to the most complex financial entities with total consolidated assets of $50 billion or more on an enterprise-wide basis. The agencies emphasize that a cyber incident or failure at one of these interconnected entities may impact not only the safety and soundness of the entity, but also of other financial entities with potentially systemic consequences. The direct application of the standards to third-party service providers is intended to allow the agencies to facilitate supervisory action in the event that a covered entity does not meet a proposed standard, regardless of whether the covered entity or its affiliate conducted the operation itself, or whether it engaged a third-party service provider to conduct the operation. The ANPR notes that the proposed standards would not apply to community banks.

The standards would address five categories of cyber risk management:

• Cyber risk governance: Requiring the board of directors or an appropriate committee to approve "the entity's cyber risk management strategy and holding senior management accountable for establishing and implementing appropriate policies consistent with the strategy," and to ensure that officers with cybersecurity responsibility have independent access to the board;

• Cyber risk management: Integrating cyber risk management into the responsibilities of at least three independent functions, such as business units, the independent risk management function, and the audit function;

• Internal dependency management: Ensuring that covered entities identify and manage cyber risks associated with the business assets they depend on to deliver services, as well as the information flow and interconnections among those assets;

• External dependency management: Ensuring that covered entities identify and manage cyber risks associated with their relationships with external organizations and service providers, such as vendors and customers, as well as the information flow and interconnections between covered entities and those parties; and

• Incident response, cyber resilience, and situational awareness: Ensuring that covered entities plan for, respond to, contain, and rapidly recover from disruptions caused by cyber incidents, including maintaining operations and ensuring data integrity during cyberattacks.

The agencies are considering a two-tiered approach, with higher standards to be required for critical systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies would require covered entities to substantially mitigate the risk of a disruption or failure due to a cyber event. The ANPR seeks comment on criteria that the agencies should consider in identifying sector-critical systems.

FDIC Chair Martin Gruenberg noted that "this ANPR would build on the existing framework of information technology guidance already in place." The Federal Financial Institutions Examination Council (FFIEC) IT Handbook, including the Information Security booklet, which was recently updated as described in our prior alert, should continue to be used by covered entities. However, the ANPR notes that other guidance in this area, including the FFIEC Cybersecurity Assessment Tool and the National Institute of Standards and Technology Cybersecurity Framework, do not establish minimum standards. Unlike these resources, the proposed standards would impose binding requirements designed specifically to address the cyber risks of the largest, most interconnected U.S. financial entities.