Federal Banking Regulators Propose Joint Rules for
Enhanced Cybersecurity Management
On October 19, three federal bank regulators issued a joint advanced notice of proposed rulemaking on enhanced cyber risk management standards. The Federal Reserve Board (“Federal Reserve”), the Office of the Comptroller of the Currency (“OCC”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, “the agencies”) seek comments in response to the proposed rulemaking and various questions by January 17, 2017. The agencies’ proposed standards seek to address the “heightened cyber risk to the safety and soundness of the financial sector,” and represent “enhanced supervisory standards” to be “integrated into the existing supervisory framework.”
Scope of Coverage. The agencies would apply enhanced standards to entities within their jurisdiction with total consolidated assets of $50 billion or more on an enterprise-wide basis. This would include, for the OCC, all national banks, federal savings associations, U.S. operations of foreign banking organizations, financial market utilities and nonbank financial companies supervised by the Board and, for the FDIC, all state non-member banks, that together with their subsidiaries have $50 billion or more in total assets. As it relates to the Federal Reserve, the enhanced standards would apply to: U.S. bank holding companies and savings and loan holding companies; U.S. operations for foreign banking organizations, including state-regulated branches of foreign banks; and institutions subject to enhanced supervision under Section 165 of the Dodd-Frank Act known as non-bank systemically significant nonbank financial companies, or SIFIs, with assets that meet or exceed the threshold. Importantly, the proposal covers nonbank subsidiaries of holding companies, which would be held to the standards as well as third-party service providers to which the standards have “direct application.”
Enhanced Supervisory Standards. Under the proposed standards, the agencies suggest a higher set of standards for “sector-critical systems” of covered entities. Among those requirements for sector-critical systems, the agencies propose a recovery of operations within two hours from a “disruptive, corruptive, or destructive cyber event.” The proposed standards set out requirements for all covered entities under the following five categories: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situation awareness. Under these categories, covered entities would further be required to implement formal cyber risk management strategies – including supporting policies and procedures to implement the strategy; ongoing risk assessments at the business unit level; independence of risk management; effective policies, plans, and procedures to identify and manage real-time cyber risks associated with external dependences, among others.
Current Framework. The current supervisory framework includes the Financial and Banking Infrastructure Committee of the President’s Working Group on Financial Markets, the Financial Stability Oversight Council, and the FFIEC with its IT Handbooks and related Cybersecurity Awareness tools and resources for financial institutions. The Federal Financial Institutions Examination Council (“FFIEC”) published the Cybersecurity Assessment Tool (“CAT”) in June 2015. On October 18, 2016, the FFIEC published a set of Frequently Asked Questions to help financial institutions utilize the Council’s CAT. The FAQs were announced as part of FIL-68-2016. The FAQs clarify points in the CAT and supporting materials based on questions received by the FFIEC members over the course of the last year, noting that the assessment tool is updated as threats and risks evolve.
The agencies’ announcement follows efforts by these bank regulators to increase scrutiny of cyber risk management practices in the financial services sector. Financial institution management primarily is responsible for assessing and mitigating their institution’s cybersecurity risk, including risks from services provided by third-parties. It is critical that financial services firms understand whether and to what extent their businesses may be subject to these enhanced standards. Engaging experienced outside counsel under the attorney-client privilege along with information security experts to conduct a comprehensive legal and security risk assessment, using the CAT, is the first step toward compliance with these anticipated enhanced standards.
To read more about the issues discussed in this alert, click here to view the most recent Bank Notes newsletter: Community Banks - Week in Review, Vol. 38.
 Department of the Treasury, Office of the Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corp., “Enhanced Cyber Risk Management Standards, available at https://www.fdic.gov/news/board/2016/2016-10-19_notice_dis_a_fr.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery.
 Id. at 22.
 Id. at 13-14.
 Id. at 14-15.
 Id. at 41.
 See id. at 23-41.
 See id.
For more information, contact:
The articles published in this newsletter are intended only to provide general information on the subjects covered. The contents should not be construed as legal advice or a legal opinion. Readers should consult with legal counsel to obtain specific legal advice based on particular situations.