The Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency ("OCC") and the FDIC (collectively, the "Agencies") requested comments on an Advanced Notice of Proposed Rulemaking ("ANPR") that would enhance cyber risk management standards for large and interconnected entities under the Agencies' supervision, and for the entities' service providers. The ANPR addresses five categories of cyber standards: (i) cyber risk governance, (ii) cyber risk management, (iii) internal dependency management, (iv) external dependency management, and (v) incident response, cyber resilience, and situational awareness. The proposed enhanced standards would apply to certain entities with consolidated assets that total $50 billion or more on an enterprise-wide basis.
The Agencies stated that they are considering "implementing the enhanced standards in a tiered manner" and "imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector."
Comments on the ANPR must be submitted by January 17, 2017.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.