Bank regulators mull new cyber standards
The three banking regulatory agencies that oversee large U.S. financial institutions are seeking comments on proposed new standards for cyber resilience.
The three big federal banking regulatory agencies are seeking input on a set of proposed cyber risk management and resilience standards.
The proposed standards from the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation would apply to large, interconnected banks under those agencies' supervision and to services provided by third parties to those banks.
The regulatory agencies are considering applying the standards to banks and depository institution holding companies that have more than $50 billion in total consolidated assets, U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve System board. The proposed standards would not apply to community banks.
Regulators warn that the consequences of a technology failure or attack directed at the financial system could be catastrophic.
"Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences," the agencies' notice states.
The enhanced standards are aimed at increasing operational resilience and reducing the ability of a cyberattack on one institution to spread to others. The proposed standards would cover cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.
They would be paired with an additional set of higher standards for systems that provide key functionality to the financial sector.
The agencies are also considering a requirement for covered financial institutions to store key data off-line in the event that an attack or system failure eradicates online financial records, including balances, deposits and loans. That provision would entail banks adopting "certain defined data standards to allow for restoration of these records by another financial institution, service provider or the FDIC in the event of resolution," the notice states.
The deadline for comments is Jan. 17, 2017.
NEXT STORY: Red teaming isn't easy