Agencies Seek Comment on Large Bank Cyber Standards

The Federal Reserve, FDIC and OCC today issued an advance notice of proposed rulemaking seeking comments on a set of enforceable cybersecurity standards for banks with more than $50 billion in assets. The new standards would be designed to supplement, not replace, existing interagency requirements and guidance for cyber resilience.

The agencies said they are considering three main approaches to implementing the standards: proposing minimum requirements for a cyber risk governance framework, similar to previous interagency supervisory guidelines; proposing regulations containing specific cyber risk management standards in five categories (cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness); and, most prescriptively, proposing standards that include specific objectives in each category.

Possible objectives in the aforementioned categories would include a written, board-approved, enterprise-wide cyber risk management strategy and risk appetite; “adequate” board expertise in cybersecurity; senior cybersecurity managers who report independently to the board; assessments of cybersecurity risk management at the business unit level; cyber risk built into an independent risk management function; inventories of all internal and external assets that affect cyber risk management; real-time monitoring of external dependencies; and transition and backup plans in the event of a successful cyber attack.

Along with bank members of the Financial Services Information Sharing and Analysis Center, the American Bankers Association has been leading cooperative, private-sector efforts to improve the cyber-resilience of the financial system. ABA will carefully review the proposal and provide comments by Jan. 17, 2017. For more information, or to provide feedback, contact ABA’s Denyette DePierro.