Banking regulators outlined a new set of rules Wednesday aimed at tightening cybersecurity requirements to protect financial markets and customers from online attacks.
A proposal from the Federal Reserve Board, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation suggests minimum standards and requirements for how the nation’s largest financial institutions are supposed to prepare for, track and respond to potentially catastrophic hacks.
The proposals do not spell out what fines or other consequences would be meted out should banks not meet the “binding requirements.” The notice of proposal rulemaking serves as a starting point for the industry and others to begin offering feedback; the deadline for comments is Jan. 17.
The proposal suggests banks with more than $50 billion in assets would be subject to the requirements, sparing all but the smallest community banks, whose vulnerabilities are less likely to wreak havoc on the global financial system.
Under current regulations, individual institutions are largely responsible for their own systems, governed by a network of frameworks and guidelines.
Those who lobby on behalf of big banks prefer to keep it that way, arguing that blanket requirements can be counterproductive because individual banks differ in their cybersecurity needs. The American Bankers Association, which represents banks, supports a broad framework that “harmonizes” existing regulations but argues against strict requirements.
“What we’re accustomed to having in place particularly as it relates to cyber risk is the ability to utilize our own discretion,” said Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association. “Different organizations have different risks based on the types of organizations that they support.”
The suggested requirements mostly concern how banks manage the cyber risk, but also proposes new requirements on how banks should prepare for and recover from harmful hacks. Such standards could make winners and losers out of an already-thriving cottage industry of corporate cybersecurity firms using advanced technology to identify threats.
The proposal floats a possible requirement that banks have separate senior leaders in charge of cyber-risk management with direct access to company boards of directors. Such a requirement would formalize a trend that has been percolating in much of the business world for years, as more chief information security officers take their seat in top management.
Perhaps in response to a slew of ransomware attacks over the past year — in which hackers take control of critical data and demand payment on threat of deleting the data — the proposal demands “secure, immutable, offline storage of records” relating to things like loan data and account records. And the draft rules would require banks have the capacity to recover from a disruptive cybersecurity attack within two hours.