The three federal banking regulatory agencies, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, announced an advance notice of proposed rulemaking (ANPR) regarding enhanced cyber risk management standards for large and interconnected entities under their supervision, as well as those entities’ service providers. The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For such sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.
As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.
Comments are invited on:
- The set of potential enhanced cybersecurity risk-management and resilience standards; and
- Potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector.
The enhanced standards being considered are being established to increase the operational resilience of the supervised and interconnected entities and reduce the impact on the financial system in case of a cyber event. Five categories of cyber standards are being addressed:
- Cyber risk governance;
- Cyber risk management;
- Internal dependency management;
- External dependency management; and
- Incident response, cyber resilience and situational awareness.
These tiered standards are a response to the interconnectedness of the U.S. financial system due to the increasing technology dependence and use of third parties in the financial sector, which increases the opportunities for high-impact technology failures and cyber-attacks that can impact the safety and soundness of the entities involved, as well as other financial entities with potentially systemic consequences.
The standards would impose more stringent standards on the systems of the effected entities, which are critical to the functioning of the financial sector. “The enhanced standards would be integrated into the existing supervisory framework by establishing enhanced supervisory expectations for the entities and services that potentially pose heightened cyber risk to the safety and soundness of the financial sector.”
Comments must be submitted to the Federal Reserve by Tuesday, January 17, 2017. Submission instructions are provided beginning on page two of the ANPR.