U.S. banking regulators this week unveiled a proposal to enhance cybersecurity risk-management and resilience standards for the largest banks and their interconnected entities.

The proposed joint standards by the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency would apply to depository institutions and depository institution holding companies with assets of $50 billion or more, U.S. operations of foreign banking organizations with U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve.

The enhanced standards would not apply to community banks. Comments are due Jan. 17, 2017.

The proposed rule addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.

The agencies said they are considering the implementation of the enhanced standards in a “tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.”

Financial institutions and consumers, the agencies said, “have become increasingly dependent on technology to facilitate financial transactions,” just as the largest, most complex financial institutions “rely heavily on technology to engage in national and international banking activities and to provide critical services to the financial sector and the U.S. economy.”

“As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the banking regulators said.

Recovery strategies, the regulators said, should include the establishment of recovery time objectives. The agencies said they are considering a requirement that covered entities under the rule set up a recovery time of two hours for their sector-critical systems, validated by testing, to recover from a disruptive, corruptive, or destructive cyber event.

The test programs, the agencies said, “would include a range of scenarios, including severe but plausible scenarios, and would challenge matters such as communications protocols, governance arrangements, and resumption and recovery practices.”

The regulators are issuing the proposed rule before developing a more detailed proposal for consideration, and are seeking comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Melanie Waddell

Melanie is senior editor and Washington bureau chief of ThinkAdvisor. Her ThinkAdvisor coverage zeros in on how politics, policy, legislation and regulations affect the investment advisory space. Melanie’s coverage has been cited in various lawmakers’ reports, letters and bills, and in the Labor Department’s fiduciary rule in 2024. In 2019, Melanie received an Honorable Mention, Range of Work by a Single Author award from @Folio. Melanie joined Investment Advisor magazine as New York bureau chief in 2000. She has been a columnist since 2002. She started her career in Washington in 1994, covering financial issues at American Banker. Since 1997, Melanie has been covering investment-related issues, holding senior editorial positions at American Banker publications in both Washington and New York. Briefly, she was content chief for Internet Capital Group’s EFinancialWorld in New York and wrote freelance articles for Institutional Investor. Melanie holds a bachelor’s degree in English from Towson University. She interned at The Baltimore Sun and its suburban edition.