Bank regulators mull new cyber standards

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

The three big federal banking regulatory agencies are seeking input on a set of proposed cyber risk management and resilience standards.

The proposed standards from the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation would apply to large, interconnected banks under those agencies' supervision and to services provided by third parties to those banks.

The regulatory agencies are considering applying the standards to banks and depository institution holding companies that have more than $50 billion in total consolidated assets, U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve System board. The proposed standards would not apply to community banks.

Regulators warn that the consequences of a technology failure or attack directed at the financial system could be catastrophic.

"Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences," the agencies' notice states.

The enhanced standards are aimed at increasing operational resilience and reducing the ability of a cyberattack on one institution to spread to others. The proposed standards would cover cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.

They would be paired with an additional set of higher standards for systems that provide key functionality to the financial sector.

The agencies are also considering a requirement for covered financial institutions to store key data off-line in the event that an attack or system failure eradicates online financial records, including balances, deposits and loans. That provision would entail banks adopting "certain defined data standards to allow for restoration of these records by another financial institution, service provider or the FDIC in the event of resolution," the notice states.

The deadline for comments is Jan. 17, 2017.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected