Working collaboratively, the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency have unveiled a new plan to bolster the ability of the country’s largest banks to withstand a major cyberattack. The new regulations come as one of many efforts to protect the U.S. financial system in the event of a technology failure or systemic shutdown.
The regulators’ plan is designed to enhance how agencies oversee large U.S. banks and foreign banks operating in the U.S. For the purposes of this new rule, making $50 billion or more in assets managed constitutes a “big bank.”
“It’s kind of remarkable to sit and think that in the course of just a generation… we’ve gone from a situation where institutions had no dependence on IT to … [what] feels like an utter dependence on IT,” said Richard Cordray, head of the Consumer Financial Protection Bureau and a member of the FDIC board, at a meeting to discuss the proposal.
The plan places the toughest onus on the largest and most systemically connected banks — those largest risks to the financial system must be able to demonstrate that their core operations can be back up and running within two hours of a major cyberattack or IT failure.
And nonbank financial firms are not outside the reach of the rule — nonbank financial services firms deemed systemically risky by a panel of regulators headed by Treasury Secretary Jacob Lew also fall under the new rule set.
The draft plan, according to regulators, is aimed at “increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities,” FDIC Chairman Martin Gruenberg said at the board meeting.
“Due to the increasing interconnectedness of the U.S. financial system, a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities and introduce potentially systemic consequences,” the draft plan states.
The new standards require firms to develop and maintain a cybersecurity risk management plan approved by their boards and incorporated into their business strategies. It also would require banks to use the cyberdefenses in their business units and incorporate them into company audits.
At the board meeting, Comptroller of the Currency Thomas Curry said the improved standards are meant to compliment existing regulations.
The public has 90 days to comment on the initial proposal. All comments are due on Jan. 17.