October 19, 2016
Agencies issue advanced notice of proposed rulemaking on enhanced cyber risk management standards
Board of Governors of the Federal Reserve System
Office of the Comptroller of the Currency
Federal Deposit Insurance Corporation
For immediate release
The three federal banking regulatory agencies today approved an advance notice of proposed rulemaking (ANPR) inviting comment on a set of potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. The standards would apply as well to services provided by third parties to these firms.
The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Board. The proposed enhanced standards would not apply to community banks.
The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.
To benefit from comments on all aspects of the potential enhanced standards, the agencies are issuing an ANPR before developing a more detailed proposal for consideration. The agencies are also asking for comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments on the ANPR are due January 17, 2017.