WASHINGTON — U.S. regulators on Wednesday unveiled an initial plan to bolster the ability of the country’s largest banks to withstand a major cyberattack, a move aimed at protecting the U.S. financial system in the event of a technology failure.
The plan, released jointly by the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, would strengthen the way agencies oversee how large U.S. banks and foreign banks operating in the U.S. with $50 billion or more in assets manage and address threats to cybersecurity.
“It’s kind of remarkable to sit and think that in the course of just a generation… we’ve gone from a situation where institutions had no dependence on IT to … [what] feels like an utter, dependence on IT,” said Richard Cordray, head of the Consumer Financial Protection Bureau and a member of the FDIC board at a meeting to discuss the proposal.
The draft plan would impose the toughest restrictions on firms considered to pose the greatest risk to the financial system. Those firms would have to prove they can get their core operations running within two hours of a cyberattack or major IT failure. The new rules also would apply to nonbank financial companies deemed systemically risky by a panel of regulators headed by Treasury Secretary Jacob Lew.
Regulators have been wrestling with how to shield financial firms from increasing cybercrimes following a series of attacks that have cost the industry billions of dollars and have shaken American consumers’ confidence.
A February hack that siphoned $81 million from Bangladesh’s central bank and the 2014 hack at J.P. Morgan Chase & Co. that compromised information on millions of customers have spurred both regulators and firms to reinforce their defenses.
The draft plan is aimed at “increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities,” FDIC Chairman Martin Gruenberg said at the board meeting.
Deputy Treasury Secretary Sarah Bloom Raskin, speaking Tuesday at a Wall Street Journal Pro Financial Regulation conference, said cybercrime in the financial sector “hits directly on this notion of interconnectedness” and “goes right to the right heart of what we think of as potentially systemic.”
That is especially the case given banks’ increasing dependence on information technology to carry out financial transactions creating more potential for “high-impact IT failures and cyberattacks,” regulators said in the draft plan.
“Due to the increasing interconnectedness of the U.S. financial system, a cyber incident or IT failure at one entity may impact the safety and soundness of other financial entities and introduce potentially systemic consequences,” the draft plan states.
The three agencies involved already examine their respective banks’ information security practices during regular supervisory reviews. But regulators say the new standards will help to strengthen cybersecurity practices while reducing the potential harm from an attack or IT failure on the financial system.
The proposed standards would require financial firms to develop and maintain a cybersecurity risk management plan approved by their boards and incorporated into their business strategies. It also would require banks to use the cyberdefenses in their business units and incorporate them into company audits.
Under the proposal, institutions also would be required to establish and implement a plan that would allow them to continue to perform core business functions during a cyberattack.
At the board meeting, Comptroller of the Currency Thomas Curry said the improved standards would “complement” existing programs used by the agencies to oversee firms’ existing IT framework. “The proposed standards would not supersede or replace any of the other efforts we’ve undertaken to help enhance cyber security in the financial sector,” said Mr. Curry.
The public has 90 days to comment on the initial proposal. All comments are due on Jan. 17.
Source: Advisen Front Page News