Bank regulators mull new cyber standards

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

The three big federal banking regulatory agencies are seeking input on a set of proposed cyber risk management and resilience standards.

The proposed standards from the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation would apply to large, interconnected banks under those agencies' supervision and to services provided by third parties to those banks.

The regulatory agencies are considering applying the standards to banks and depository institution holding companies that have more than $50 billion in total consolidated assets, U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve System board. The proposed standards would not apply to community banks.

Regulators warn that the consequences of a technology failure or attack directed at the financial system could be catastrophic.

"Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences," the agencies' notice states.

The enhanced standards are aimed at increasing operational resilience and reducing the ability of a cyberattack on one institution to spread to others. The proposed standards would cover cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.

They would be paired with an additional set of higher standards for systems that provide key functionality to the financial sector.

The agencies are also considering a requirement for covered financial institutions to store key data off-line in the event that an attack or system failure eradicates online financial records, including balances, deposits and loans. That provision would entail banks adopting "certain defined data standards to allow for restoration of these records by another financial institution, service provider or the FDIC in the event of resolution," the notice states.

The deadline for comments is Jan. 17, 2017.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected