The Federal Deposit Insurance Corp., Federal Reserve and Office of the Comptroller of the Currency co-authored a new set of guidelines designed to protect critical banking infrastructure. Escalating cyberattacks combined with increasing dependence on connected technologies have raised threat levels across the banking sector, the agencies stated.
Their recommendations, published Oct. 19, 2016, are detailed in Enhanced Cyber Risk Management Standards, an advance notice of proposed rulemaking (ANPR) that addresses cyber risk, internal dependency and external dependency management, as well as incident response, cyber resilience and situational awareness.
The ANPR recommends a tiered approach to implementing the new security guidelines, directing its strictest policies to large financial institutions with total consolidated assets of $50 billion or more.
"A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector," the authors wrote. "The agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm."
Increasing reliance on connected technologies in commercial and private sectors has raised threat levels across depository institutions, particularly the seven largest and most complex financial institutions, according to recent reports.
"As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks," the ANPR authors wrote. "Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences."
The authors additionally noted the expanded role of third-party service providers in financial services. "Third parties that provide payments processing, core banking, and other financial technology services to these participants in the financial sector also provide services that are vital to the financial sector," they wrote. They also recommended that third-party service providers and nonbank financial companies be held to the same rigorous standards and scrutiny as the financial institutions they serve.
The three-party cybersecurity initiative is designed to enhance existing regulatory guidance and oversight, of which there is no shortage in the financial services sector. The ANPR cites the following government agencies and guidelines tasked with protecting U.S. banking infrastructure:
Enhanced Cyber Risk Management Standards is available for public review and commentary until Jan. 17, 2017. The agencies are considering a variety of approaches, from policy statements to detailed regulations, to beef up existing regulatory and compliance frameworks.
The authors are encouraging the public to respond to the proposal during the open review period. They plan to publish pertinent feedback in a broader, more detailed report, followed by a second round of public review and consideration prior to a final ruling.
For a copy of the ANPR and detailed instructions for submitting commentary, visit www.federalreserve.gov/newsevents/press/bcreg/bcreg20161019a1.pdf.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next