Privacy & Information Security Law Blog

On October 19, 2016, the Federal Deposit Insurance Corporation (“FDIC”), the Federal Reserve System (the “Fed”) and Office of the Comptroller of the Currency issued an advance notice of proposed rulemaking suggesting new cybersecurity regulations for banks with assets totaling more than $50 billion (the “Proposed Standards”).

The Proposed Standards address five categories of cybersecurity: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. The Proposed Standards would require covered entities to develop written, board-approved cybersecurity strategies to hold senior management accountable and incorporate procedures for independent risk management reporting to the company’s chief risk officer. Covered entities would also be required to define internal and external cyber risks and develop resiliency plans to ensure continued operation of critical business functions during a cyber incident.

The Proposed Standards include a two-tiered system that establishes more stringent requirements for systems of those covered entities that are deemed “critical to the financial sector.” Under these more stringent requirements, covered entities would be obligated to implement the “most effective, commercially available controls” on sector-critical systems and establish a test-validated two-hour time period for such systems to “recover from a disruptive, corruptive, or destructive cyber event.”

The Proposed Standards would apply to companies with total consolidated assets of at least $50 billion, as well as to Fed-supervised non-bank financial companies, financial market infrastructures and financial market utilities (as designated by the Financial Stability Oversight Council) and third parties who provide services to these firms. Community banks would not be subject to the Proposed Standards. FDIC Chairman Martin J. Gruenberg released a statement praising the issuance of the Proposed Standards, stating, “The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”

Comments on the Proposed Standards are due January 17, 2017.