Regulators Target Banks’ Cybersecurity Policies

A draft proposal by three agencies seeks to boost cyber defenses and reduce the impact on the financial system of an attack.
Matthew HellerOctober 20, 2016

U.S. banking regulators have proposed measures to beef up the cybersecurity defenses of financial institutions and mitigate the impact of a cyberattack.

In a draft plan released on Wednesday, the Federal Reserve, the Federal Deposit Insurance Corp., and the Office of the Comptroller of the Currency said the enhanced standards would apply to entities with total consolidated assets of $50 billion or more, with the toughest measures reserved for firms considered to pose the greatest risk to the financial system.

Those firms, among other things, would have to show they can get their core operations running within two hours of a cyberattack or major IT failure.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The plan is aimed at “increasing [banks’] operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities,” FDIC Chairman Martin Gruenberg said at a meeting to discuss the proposal.

As The Wall Street Journal reports, “Regulators have been wrestling with how to shield financial firms from increasing cybercrimes following a series of attacks that have cost the industry billions of dollars and have shaken American consumers’ confidence.” Those attacks include a hack in February at Bangladesh’s central bank and the 2014 attack on JP Morgan Chase.

On Wednesday, regulators said the new standards have been contemplated for some time and they are concerned about the vulnerability of the nation’s financial systems.

“In the course of just a generation … we’ve gone from a situation where institutions had no dependence on IT to … [what] feels like an utter dependence on IT,” Richard Cordray, head of the Consumer Financial Protection Bureau, said.

The new standards could apply to roughly 40 banks and a variety of non-bank financial companies. Covered entities would be required to develop and maintain a cybersecurity risk management plan approved by their boards and incorporated into their business strategies.

Regulators already address their banks’ information security practices during regular supervisory reviews. Comptroller of the Currency Thomas Curry said the improved standards would complement those existing programs.