U.S. regulators unveiled draft cybersecurity standards aimed at protecting the U.S. financial system in the event of a technology failure or cyberattack. The plan, authored by the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, would strengthen the way agencies oversee how large U.S. banks and foreign banks operating in the U.S. with $50 billion or more in assets manage and address threats to cybersecurity.
The draft plan would impose the toughest restrictions on firms considered to pose the greatest risk to the financial system. Those firms would have to prove they can get their core operations running within two hours of a cyberattack or major IT failure. The new rules also would apply to nonbank financial companies deemed systemically risky by a panel of regulators.
Regulators have been wrestling with how to shield financial firms from increasing cybercrimes following a series of attacks that have cost the industry billions of dollars and have shaken American consumers’ confidence. The draft plan is aimed at “increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.”
The plan states that “Due to the increasing interconnectedness of the U.S. financial system, a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities and introduce potentially systemic consequences.”
The proposed standards would require:
- financial firms to develop and maintain a cybersecurity risk management plan approved by their boards and incorporated into their business strategies.
- banks to use the cyberdefenses in their business units and incorporate them into company audits.
- institutions also would be required to establish and implement a plan that would allow them to continue to perform core business functions during a cyberattack.
This link has the complete Proposed-enhanced-cyber-risk-management-standards
The public has 90 days to comment on the initial proposal. All comments are due on Jan. 17.