Bank regulators mull new cyber standards

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

The three big federal banking regulatory agencies are seeking input on a set of proposed cyber risk management and resilience standards.

The proposed standards from the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation would apply to large, interconnected banks under those agencies' supervision and to services provided by third parties to those banks.

The regulatory agencies are considering applying the standards to banks and depository institution holding companies that have more than $50 billion in total consolidated assets, U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve System board. The proposed standards would not apply to community banks.

Regulators warn that the consequences of a technology failure or attack directed at the financial system could be catastrophic.

"Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences," the agencies' notice states.

The enhanced standards are aimed at increasing operational resilience and reducing the ability of a cyberattack on one institution to spread to others. The proposed standards would cover cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.

They would be paired with an additional set of higher standards for systems that provide key functionality to the financial sector.

The agencies are also considering a requirement for covered financial institutions to store key data off-line in the event that an attack or system failure eradicates online financial records, including balances, deposits and loans. That provision would entail banks adopting "certain defined data standards to allow for restoration of these records by another financial institution, service provider or the FDIC in the event of resolution," the notice states.

The deadline for comments is Jan. 17, 2017.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.