Nearly one month after the New York State Department of Financial Services issued a proposal to establish prescriptive cyber requirements for New York-domiciled financial institutions,1 three three federal banking agencies—the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) (collectively, the “agencies”)—issued an advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management and resilience standards for large banking organizations.2
Specifically, the enhanced standards would apply to US bank holding companies, the US operations of foreign banking organizations, and US savings and loan holdings companies with more than $50 billion in total assets, as well as nonbank financial companies and financial market utilities designed for FRB supervision by the Financial Stability Oversight Council (FSOC), among others.
The ANPR, which the agencies opted to issue instead of a more detailed proposed rule in order to benefit from public input, would establish a two-tiered approach:
For detailed information on the proposed requirements, please click here.
The ANPR sets forth enhanced standards in five categories: (1) cyber risk governance, (2) cyber risk management, (3) internal dependency management, (4) external dependency management, and (5) incident response, cyber resilience, and situational awareness.
Each covered entity should closely review the ANPR and assess its current policies and procedures to understand how it compares to the requirements set forth.
While the five categories of enhanced standards would apply to all systems of covered entities, the agencies would impose more stringent requirements on sector critical systems.
Specifically, the agencies are considering requiring covered entities to reduce the residual risk of sector-critical systems by implementing the most effective commercially available controls, and to substantially mitigate the risk of a disruption or failure due to a cyber event.
In addition, the agencies are also considering requiring covered entities to establish a recovery time objective of two hours for their sector-critical systems, validated by testing, to recover from a disruptive, corruptive, or destructive cyber event.
The proposed regulation is subject to a public comment period that ends on January 17, 2017. Importantly, the ANPR notes that the agencies are considering various regulatory approaches to establishing the enhanced standards including through a policy statement or guidance, or through a detailed regulation. They seek comment on which option to pursue.
As further developments occur, Deloitte Advisory will issue additional updates as appropriate.
Organizations may contact Deloitte with questions about the ANPR and activities to support planning, preparation, and compliance.
1 New York State Department of Financial Services, Proposed, “Cybersecurity Requirements for Financial Services Companies,” 23 NYCRR 500, (September 13, 2016), available here.
2 Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, “Agencies Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards,” (October 19, 2016), available here.
Posted by Vikram Bhat, Principal | Deloitte Advisory, Deloitte & Touche LLP, Julie Bernard, Principal | Deloitte Advisory, Deloitte & Touche LLP, Walter Hoogmoed, Principal | Deloitte Advisory, Deloitte & Touche LLP, Andrew Morrison, Principal | Deloitte Advisory, Deloitte & Touche LLP, Chris Spoth, Managing Director | Deloitte Advisory, Deloitte & Touche LLP, and Alex LePore, Senior Consultant | Deloitte Advisory, Deloitte & Touche LLP on October 27, 2016.