ARTICLE
1 December 2016

US Federal Reserve Board, Office Of The Comptroller Of The Currency And Federal Deposit Insurance Corporation Issue Advanced Notice Of Proposed Rulemaking On Enhanced Cyber Risk Management Standards

SS
Shearman & Sterling LLP

Contributor

Shearman & Sterling LLP logo
Our success is built on our clients’ success. We have a long and distinguished history of supporting our clients wherever they do business, from major financial centers to emerging and growth markets. We represent many of the world’s leading corporations and major financial institutions, as well as emerging growth companies, governments and state-owned enterprises, often working on ground-breaking, precedent-setting matters. With a deep understanding of our clients' businesses and the industries they operate in, our work is driven by their need for outstanding legal and commercial advice.
Explore
The US Federal Reserve Board, OCC and FDIC jointly released an advanced notice of proposed rulemaking seeking comments on enhanced cybersecurity risk-management and resilience standards.
United States Finance and Banking
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On October 19, 2016, the US Federal Reserve Board, OCC and FDIC jointly released an advanced notice of proposed rulemaking seeking comments on enhanced cybersecurity risk-management and resilience standards. The new rule would apply to any depository institution or holding company with consolidated assets of at least $50 billion, foreign banking organizations with total US assets of at least $50 billion and financial infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board.

The ANPR notes that the enhanced standards are not intended to replace Uniform Rating System for Information Technology (URSIT) as a mechanism for judging IT risks, but instead are intended to inform the cyber-related elements of the URSIT system. The proposed rule would establish five categories of standards that would apply to the IT system of a covered institution: (i) cyber risk governance—how an institution creates and maintains a cyber risk strategy; (ii) cyber risk management—identifying, monitoring, managing and reporting on cyber risk; (iii) internal dependency management—managing risks in an institution's workforce, data, technology or facilities; (iv) external dependency management—managing risks in an institution's relationships with outside vendors, suppliers and service providers; and (v) incident response, cyber resilience and situational awareness— planning for, responding to and recovering from cyber incidents.

The proposed rule also has a two-tiered approach, where the five categories of enhanced standards would apply to all IT systems of covered entities and a higher set of "sector-critical standards" that would apply to those IT systems of covered entities that are critical to the financial sector. Systems that are deemed "critical to the functioning of the financial sector" would be required to implement the most effective commercially available controls, and would be required to have, and be examined for, a two-hour recovery window after disruptions.

Comments on the proposal are due January 17, 2017.

The ANPR is available at: https://www.gpo.gov/fdsys/pkg/FR-2016-10-26/pdf/2016-25871.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Shearman & Sterling LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More