Financial Regulators Roll Out Proposed Cybersecurity Rules

Financial institutions will need to take new actions to limit cyber risks to the sector under a proposed rule unveiled Wednesday by three federal banking regulatory agencies.

Under the proposal from the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve, banks will have to “substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.”

“The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyber-attack, or the failure to implement appropriate cyber risk management,” the agencies said.

The regulators are planning to craft the standards on a tiered basis for institutions with assets totaling $50 billion or more, but they haven’t determined how those tiers will be set up. They do not plan to apply the rules to community banks.

According to the notice, the standards would be split into five categories, including cyber risk governance, risk management and incident response.

Regulators are still in the early stages of planning the rule, and they posed a number of questions for industry stakeholders. Comments on the proposal and answers to questions on how to measure cyber risk in the sector are due by Jan. 17.