US Fed calls for cybersecurity feedback
The US Federal Reserve has approved an advance notice of proposed rulemaking (ANPR) and wants comments on its cybersecurity risk-management and resilience standards.
In its 48-page report “Enhanced Cyber Risk Management Standards”, the Fed says the standards will apply to large and interconnected entities under their supervision, as well to services provided by third parties to these firms.
In addition, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the US operations of foreign banking organisations with total US assets of $50 billion or more, and financial market infrastructure companies and non-bank financial companies supervised by the board.
The Fed says the proposed standards would not apply to community banks.
The standards would be tiered, with an additional set of higher standards for systems that provide “key functionality” to the financial sector.
For these sector-critical systems, the participating agencies are considering requiring firms to “substantially mitigate” the risk of a disruption or failure due to a cyber event.
The agencies are issuing an ANPR before developing a more detailed proposal for consideration.
They also want comments on potential “methodologies” that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector.
Comments on the ANPR are due 17 January 2017.
The full 48-page report is here with the relevant contact details.