Regulators Propose Cybersecurity Standards for Banks

October 20, 2016

Three federal banking regulatory agencies have proposed cybersecurity rules that would include requiring institutions considered systemically risky to prove they can run major operations within two hours of an attack or a large systems failure.  

The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more. The proposed enhanced standards would not apply to community banks.

"Covered entities would be required to be capable of operating critical business functions in the face of cyber-attacks," the regulators said in a statement.

The proposal addresses five categories of cyber standards:

  1. cyber risk governance
  2. cyber risk management
  3. internal dependency management
  4. external dependency management
  5. incident response, cyber resilience and situational awareness

The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector.  For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event. Other requirements include a cybersecurity risk-management plan that is incorporated into the business strategy.

The rules, which will be finalized after industry input, are meant to raise cyber security to a top priority for corporate executives and boards, according to the banking agencies. Comments on the proposal are due Jan. 17, 2017. ALTA plans to submit a comment letter. Contact Ben Lincoln, ALTA’s director of government affairs, with questions or concerns about the proposal.

Contact ALTA at 202-296-3671 or