Agencies issue advanced notice of proposed rulemaking on enhanced cyber risk management standards
Board of Governors of the Federal Reserve System Office of the Comptroller of the Currency Federal Deposit Insurance Corporation
For immediate release
October 19, 2016
The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Board. The proposed enhanced standards would not apply to community banks.
The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.
To benefit from comments on all aspects of the potential enhanced standards, the agencies are issuing an ANPR before developing a more detailed proposal for consideration. The agencies are also asking for comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments on the ANPR are due January 17, 2017.
Attachment: Proposed Federal Register Notice of ANPR (PDF)
|Federal Reserve Board||Darren Gersh||(202) 452-2955|
|OCC||Stephanie Collins||(202) 649-6870|
|FDIC||Barbara Hagenbaugh||(202) 898-7192|