Following New York’s proposed regulation on cybersecurity, banking regulators have issued notice of proposed cybersecurity rules. The Federal Deposit Insurance Corporation, the Federal Reserve and Office of the Comptroller of the Currency issued these proposed requirements as part of their efforts to help protect financial markets and customers from cyber attacks. Comments are due back by January 17, 2017. Questions are included to help solicit feedback for possible adjustments to the proposed regulations.
The proposed rules would apply to large financial institutions (assets totaling more than $50 billion) as well as to Fed-supervised non-bank financial companies, financial market infrastructures, firms designated by the Financial Stability Oversight Council and third parties who service the covered firms. Community banks are exempt from the proposed regulations for now, but it remains to be seen how smaller institutions will be assessed against these new requirements.
Covered firms would need to institute controls to help them prepare for, track and respond to cyber incidents and potential major attacks. Integral to these requirements is a board-approved cybersecurity framework that encompasses a firm’s business strategies and would cover five categories of cybersecurity:
Additionally, firms would have to define internal and external cyber risks and maintain response plans to ensure continuity of their critical operations during a cyber incident or attack. The proposed requirements follow a two-tiered approach, with tougher requirements for systems that are “critical” to the financial sector. Covered firms would have to also ensure that the controls in place: 1) are the “most effective, commercially available controls” to minimize residual cyber risk and 2) would ensure a two-hour recovery time for systems to return to normal operations following a cyber attack.
In conclusion, if the proposed regulations are approved as drafted, you should be prepared for the following key requirements:
A full copy of the proposed rules is available here.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Patty P. Tehrani is an experienced compliance counsel and advisor and the founder of the Policy Patty Toolkit (www.policypatty.com). Patty has expansive knowledge and expertise on policy development as well as governance and risk management programs, processes and controls. You can follow her on LinkedIn or contact her via email@example.com.