On October 19, 2016, the US Federal Reserve Board, OCC and FDIC jointly released an advanced notice of proposed rulemaking seeking comments on enhanced cybersecurity risk-management and resilience standards. The new rule would apply to any depository institution or holding company with consolidated assets of at least $50 billion, foreign banking organizations with total US assets of at least $50 billion and financial infrastructure companies and nonbank financial companies supervised by the Federal Reserve Board.

The ANPR notes that the enhanced standards are not intended to replace Uniform Rating System for Information Technology (URSIT) as a mechanism for judging IT risks, but instead are intended to inform the cyber-related elements of the URSIT system. The proposed rule would establish five categories of standards that would apply to the IT system of a covered institution: (i) cyber risk governance—how an institution creates and maintains a cyber risk strategy; (ii) cyber risk management—identifying, monitoring, managing and reporting on cyber risk; (iii) internal dependency management—managing risks in an institution's workforce, data, technology or facilities; (iv) external dependency management—managing risks in an institution's relationships with outside vendors, suppliers and service providers; and (v) incident response, cyber resilience and situational awareness— planning for, responding to and recovering from cyber incidents.

The proposed rule also has a two-tiered approach, where the five categories of enhanced standards would apply to all IT systems of covered entities and a higher set of "sector-critical standards" that would apply to those IT systems of covered entities that are critical to the financial sector. Systems that are deemed "critical to the functioning of the financial sector" would be required to implement the most effective commercially available controls, and would be required to have, and be examined for, a two-hour recovery window after disruptions.

Comments on the proposal are due January 17, 2017.

The ANPR is available at: https://www.gpo.gov/fdsys/pkg/FR-2016-10-26/pdf/2016-25871.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.