Bank Regulators Issue Proposed Rules on Cybersecurity Controls

Following New York’s proposed regulation on cybersecurity, banking regulators have issued notice of proposed cybersecurity rules. The Federal Deposit Insurance Corporation, the Federal Reserve and Office of the Comptroller of the Currency issued these proposed requirements as part of their efforts to help protect financial markets and customers from cyber attacks. Comments are due back by January 17, 2017. Questions are included to help solicit feedback for possible adjustments to the proposed regulations.

Who is Covered?

The proposed rules would apply to large financial institutions (assets totaling more than $50 billion) as well as to Fed-supervised non-bank financial companies, financial market infrastructures, firms designated by the Financial Stability Oversight Council and third parties who service the covered firms. Community banks are exempt from the proposed regulations for now, but it remains to be seen how smaller institutions will be assessed against these new requirements.

What is Required?

Covered firms would need to institute controls to help them prepare for, track and respond to cyber incidents and potential major attacks. Integral to these requirements is a board-approved cybersecurity framework that encompasses a firm’s business strategies and would cover five categories of cybersecurity:

• cyber risk governance
• cyber risk management
• internal dependency management
• external dependency management
• incident response, cyber resilience and situational awareness.

Additionally, firms would have to define internal and external cyber risks and maintain response plans to ensure continuity of their critical operations during a cyber incident or attack.  The proposed requirements follow a two-tiered approach, with tougher requirements for systems that are “critical” to the financial sector. Covered firms would have to also ensure that the controls in place: 1) are the “most effective, commercially available controls” to minimize residual cyber risk and 2) would ensure a two-hour recovery time for systems to return to normal operations following a cyber attack.

In conclusion, if the proposed regulations are approved as drafted, you should be prepared for the following key requirements:

• Cyber risk management strategies incorporated into a firm’s overall business strategy and risk management
• Board review and approval of a firm’s cybersecurity framework, risk appetite and tolerance
• Cybersecurity officers with sufficient resources and staff, as well as access to the board to notify them of known and emerging cyber risk issues periodically
• Cyber risk management integrated into a firm’s existing governance models and business operations
• Audit function that evaluates the cyber risk management framework
• Cyber risk assessments and periodic testing of practices and functions that present potential cyber attacks and events and their potential impact on operations
• Oversight of and process for managing third-party cyber risks
• Cyber incident response programs
• Ongoing cyber analysis.

A full copy of the proposed rules is available here.