The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency recently released an advance notice of proposed rulemaking (ANPR) on potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. The enhanced standards would apply to U.S. bank holding companies, U.S. operations of foreign banking organizations, and U.S. thrift holding companies, as well as banks and thrifts that meet a $50 billion threshold on a consolidated basis or perform an activity that is deemed to be critical to the financial sector. The agencies also are considering applying the standards to third-party service providers to depository institutions and their affiliates that are covered entities. Separately, the Federal Reserve Board is considering applying the standards to FSOC-designated nonbank financial companies and financial market utilities, as well as other financial market infrastructures subject to Federal Reserve supervision.
The ANPR addresses certain categories of cyber standards including: cyber risk governance, cyber risk management, internal dependency management, external dependency management, and incident response, cyber resilience, and situational awareness. The cyber risk standards would be tiered, with an additional set of higher standards for systems that are considered critical to the financial sector. The agencies are also seeking comments on potential methodologies to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments on the ANPR are due January 17, 2017.