On October 19, US banking agencies released an advanced notice of proposed rulemaking (ANPR) seeking comments on enhanced cybersecurity standards. These standards potentially would apply to
- US bank holding companies and savings and loan holding companies with total consolidated assets of $50 billion or more,
- foreign banking organizations’ US operations with US assets of $50 billion or more, and
- other types of entities under the jurisdiction of the ANPR-issuing agencies and such entities' service providers.
The ANPR would create a tiered system of standards aimed at reducing cyber risk and preventing financial sector disruptions because of cyber events.
The ANPR, issued by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, sets forth an initial framework for the enhanced standards. The agencies will produce a more detailed proposal after they receive comments on the ANPR, which. are due by January 17, 2017.
The five proposed categories of enhanced standards are
- cyber risk governance,
- cyber risk management,
- internal dependency management,
- external dependency management, and
- incident response, cyber resilience, and situational awareness.
The standards include
- having adequate cybersecurity expertise on the board of directors or board access to adequate cybersecurity resources,
- developing board-level formal cyber risk-management strategies,
- integrating cyber risk management into responsibilities of independent functions,
- continually assessing the reduction of cyber risk of internal and external dependencies,
- maintaining awareness of all internal assets and functions that support the cyber risk-management strategy,
- real-time monitoring of external dependencies,
- periodically testing alternative solutions to address potential failures of external partners, and
- establishing capabilities to maintain critical business functions during cyber attacks.
The ANPR also considers a higher set of standards that would apply to "systems of covered entities that are critical to the financial sector." Under the standards, entities potentially would have to minimize cyber risk of sector-critical systems subject to the higher-tier of standards by implementing the most effective, commercially available controls and establishing a recovery time objective of two hours for such systems (among other proposed requirements).
Tentatively, the higher set of standards could apply to systems that consistently support the clearing or settlement of at least 5% of transactions’ value in one or more of the markets for federal funds, foreign exchange, commercial paper, US government and agency securities, corporate debt and equity securities, and exchange-traded and over-the-counter- derivatives. However, the ANPR notes that other factors to determine the higher standards’ applicability are being considered, including interconnectedness. Notably, service providers that support such sector-critical systems would also be subject to the higher set of standards.