Feds Propose Enhanced Cyber Standards for Nation’s Largest Banks and Their Boards

Patterson Belknap Webb & Tyler LLP
Contact

Bank regulators are continuing to demand more accountability from corporate leaders when it comes to compliance with cybersecurity safeguards.

In an advance notice of proposed rulemaking issued yesterday, federal regulators are seeking public comment on standards that would require the nation’s biggest banks to bulk up their cybersecurity preparedness and governance.  And agency officials made clear that the move is intended to put the responsibility squarely on the shoulders of corporate officers and directors.

The Federal Reserve System, the Federal Deposit Insurance Corporation and Office of Comptroller of Currency have laid out a series of new standards for banks with more than $50 billion in assets and other “systemically significant firms.”  The standards would affect several dozen financial institutions and insurance companies.

The point of the new standards – intended to “supplement” current federal bank data security regulation – is to avoid “high impact IT failure and cyberattacks” by creating a framework for cybersecurity governance and management.  For example, the covered banks would need to ensure that their boards had “adequate expertise in cybersecurity” and the “ability to maintain access to personnel with such expertise.”  The proposal would require banks to implement a cyber risk management plan approved by their boards and integrated into their business strategies at both the enterprise and business-unit levels.

Third-party vendors – outside service providers such as law firms – are also covered by the framework, requiring them to adhere to the same data security requirements as the banks themselves.

A primary concern to the regulators is the interconnectedness of financial institutions and the potential for a daisy-chain effect when there’s a major breach. “As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks,” said the proposal. “Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.”

The public comment period on the proposal closes on January 17, 2017.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide