Tough Federal Cybersecurity Standards for Big Banks Proposed3 Regulators Unveil Plan for Protecting Banks from Cyberattacks
Federal banking regulators are proposing tough new standards designed to bolster cybersecurity at the nation's largest banking institutions.
The proposed standards, published on Oct. 19 by the Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency, are aimed at institutions with $50 billion or more in assets. They will be finalized after a comment period that ends Jan. 17. But FDIC spokesman David Barr tells Information Security Media Group that no timeframe has been set for when the new standards could take effect.
"Due to the increasing interconnectedness of the U.S. financial system, a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities and introduce potentially systemic consequences," the draft proposal states.
The proposed standards call for two tiers of requirements, with higher standards being set for institutions that manage, maintain and/or operate systems that provide key functionality to the financial sector, posing the greatest risk to the financial system.
"For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber-event," according to a release from the agencies.
The proposed standards for all large banks cover five key areas:
- Cyber risk governance;
- Cyber risk management;
- Internal dependency management;
- External dependency management; and
- Incident response, cyber resilience and situational awareness.
Among some of the points addressed in the proposed standards are the need for more stringent cybersecurity requirements for third-party service providers as well as nonbank financial companies, such as payments processors, that are supervised by federal regulators.
The Board's Role
The proposal also calls for more cybersecurity oversight from boards of directors and senior management by holding them accountable for implementing cyber risk management frameworks. It also notes that federal regulators are considering whether they should mandate that bank board members have "adequate expertise" in cybersecurity.
Cybersecurity attorney Chris Pierson, CISO and general counsel at invoicing and payments provider Viewpost, says regulators' call for more qualified board members could potentially have the greatest impact on banks' cybersecurity and cyber risk governance.
"Similar to the requirements under Sarbanes-Oxley that require boards to have persons of financial expertise on the board or audit committee, this change will ensure that there is proper governance over risk, cybersecurity and privacy from an outside director perspective," he says. "Nothing these days is more important than having effective, knowledgeable experts who can understand business objectives and goals and provide some balance to cybersecurity business advantages and risks. These requirements are helpful to amplify the need for board access and governance over cybersecurity and business goals."
The proposed standards "would not apply to community banks," FDIC Chairman Martin J. Gruenberg points out in a statement. "They ... would continue to be subject to current generally applicable guidance and standards."
The federal regulators' announcement comes just weeks after the New York Department of Financial Services announced plans for new cybersecurity regulation (see Critics Blast New York's Proposed Cybersecurity Regulation).