The Federal Reserve Board, FDIC, and OCC issued an advance notice of proposed rulemaking (the “Proposed Rules”) on October 19 for enhanced cybersecurity standards on large banks (those with assets totaling $50 billion or more), non-bank financial companies, financial market infrastructures, financial market utilities, and third party providers that service those entities. The Proposed Rules address five key areas: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
In addition, a higher set of standards would apply to “sector-critical systems,” those critical to the financial sector as a whole. For these systems, regulated entities will be required to use the most sophisticated tools in the market, along with the capability to recover from a cyber attack within two hours. For further discussion on the Proposed Rules, please see our latest Financial Institutions Law Update.