Federal banking regulators have a new reason to worry that some banks might be too big to fail_ cybersecurity.
Collectively, these regulators Wednesday put out a notice of proposed rulemaking that, if enacted, would subject the nation’s largest banks to enhanced cyber risk management standards.
“Specifically, the agencies are considering … a requirement that covered entities develop a written, board-approved, enterprise-wide cyber risk management strategy that is incorporated into the overall business strategy and risk management of the firm,” they wrote in the proposed rule.
The recent hacks of the Democratic National Committee and of the email accounts of Hillary Clinton’s campaign chief John Podesta have served to highlight cyber threats. Consumers and the financial sector today depend heavily on the Internet and mobile devices for transactions and bank regulators worry that the interconnectedness of the financial system poses unique risks.
The Federal Deposit Insurance Corporation issued an advanced notice Wednesday of the proposed rulemaking, and was joined by the Federal Reserve and the Office of the Comptroller of the Currency.
“Separately, the Federal Reserve Board is considering applying the standards to … nonbank financial companies and financial market utilities, as well as other financial market infrastructures subject to Federal Reserve supervision,” FDIC Chairman Martin J. Gruenberg said in a statement.
Translation: The tougher rules and standards would apply not just to banks but many of the critical components that go into the workings of the complex web of interconnectedness that is the financial system.
The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector.
The Board of Governors of the Federal Reserve System, in a statement on Oct. 19, 2016.
Under the 2010 revamp of financial regulation, which followed the near collapse of the financial sector in 2008, the largest banks were subjected to greater reporting requirements and limits on their risk taking. They escaped worse, given the talk of breaking up the largest institutions on the grounds that they were so big that their failure could drag down the financial system.
Wednesday’s proposed rule addresses that concern about the largest banks. It generally applies to institutions with assets of $50 billion or more, and doesn’t spell out specific standards. Instead, it will require these institutions to report to regulators about enhanced standards in five areas: cyber risk governance, cyber risk management, internal dependency management, external dependency management and incident response, which encompasses cyber resilience and situational awareness.