Proposed federal cybersecurity standards for the nation's largest banks aim to mandate how banks must address risk management, business continuity and incident response (see Tough Federal Cybersecurity Standards for Big Banks Proposed).
But the proposed mandates shouldn't come as a big surprise because they're just an extension of what federal regulators have been suggesting for years in their guidance.
The proposed federal cybersecurity standards will put more pressure on the nation's top banks to make certain that their cybersecurity strategies are as complete and effective as possible.
Enacting true mandates,, rather than guidance, however, shows that regulators want assurances that big banks are actually doing what's been recommended to mitigate risks associated with cyberattacks.
If the nation's leading banks have not already implemented most of the proposed requirements, including ensuring hands-on cybersecurity oversight from executive management and boards of directors, then shame on them.
Standards Won't Be Rushed
It could be a year or more before we see a final version of the proposed standards.
The Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency - the three Federal Financial Institution Examination Council agencies that published the proposal for new standards - are accepting comments until Jan. 17. After that, the comments will be reviewed by all five FFIEC agencies before new mandates are finalized and published. By then, the standards could be revised.
And keep in mind, the regulators are proposing that only institutions with $50 billion or more in assets be required to comply with the new standards.
The Proposal's Highlights
One of the more noteworthy proposed mandates is the call for holding boards and senior management more accountable for implementing cyber risk management frameworks. Regulators also propose that the nation's big banks take steps to ensure that board members have "adequate expertise" in cybersecurity.
In earlier guidance, regulators made it clear that boards and senior management need more cybersecurity involvement (see FFIEC Updates Cybersecurity Expectations for Boards).
The proposed mandates would ensure that banks are following through.
Regulators also want service providers used by banks and/or those linked to the financial infrastructure, such as payments processors, to be held to the same cybersecurity requirements that the banks they work with are.
So, third-party service providers working with the country's largest banks could have to adhere to the same federal mandates, once they're enacted.
Most of those providers are already examined by federal banking regulators, so imposing stricter requirements is not so much of a stretch. And banks will likely have to ensure in their contracts, as well as through ongoing due diligence, that their service providers are maintaining compliance with security mandates.
Banking regulators have expressed concern about the need to better mitigate third-party cyber risks for the past two years (see OCC Expands on Third-Party Cyber-Risks).
In an effort to ensure that the big banks aren't crippled by a significant cyberattack, such as a distributed denial-of-service attack, regulators propose mandating that banks take steps to ensure they can bounce back from a cyberattack within two hours of being targeted.
Cyber resiliency became a priority in the wake of the 2012-2013 DDoS attacks (see Hacktivist Speaks Out About DDoS), when many top-tier banks were caught off guard and, in some cases, had their online banking sites taken offline for hours, if not days.
Since then, however, leading banks have enhanced cyber threat information sharing efforts and updated their DDoS mitigation strategies to help them prepare.
Now regulators want to make sure the nation's largest banks remain vigilant by continually testing and upgrading their defenses and systems to ensure they're prepared for evolving attacks and threats (see DDoS Attack Blamed for Massive Outages).
The proposed federal cybersecurity standards will put more pressure on the nation's top banks to make certain that their cybersecurity strategies are as complete and effective as possible. And if banks have been paying attention to earlier guidance, compliance shouldn't be challenging.