Cybersecurity rules in the works for big banks; regulators say measures would reduce impact of hacks

Financial regulators this week said they plan to propose new rules to help the nation’s biggest banks bounce back from any future cyberattacks waged against Wall Street.

The Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve outlined their intentions in a notice of proposed rule-making published Wednesday in which the agencies acknowledge the potential for hackers to cause widespread havoc by exploiting the security of even a single bank.

“As technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyberattacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences,” the regulators wrote.

The agencies are accepting public comments through mid January before it finalizes “enhanced standards” major banks will be asked to abide by, but have already unveiled five specific categories they hope to address by implementing the proposed rules: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.

“The enhanced standards would be designed to increase covered entities’ operational resilience and reduce the potential impact on the financial system in the event of a failure, cyberattack or the failure to implement appropriate cyber risk management,” the notice said.

The rules would divide financial institutions by size into two tiers, “imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.” The dividing point will largely be determined by whether a particular institution holds more or less than $50 billion in assets and therefore considered “sector critical,” or otherwise irreplaceable if sidelined by a cyberattack. The $50 billion threshold is the same as the dividing line used to categorize banks as “Systemically Important Financial Institutions” under the Dodd-Frank Wall Street Reform and Consumer Protection Act, District Sentinel reported Wednesday.

The proposal comes in the wake of a scathing report released by the U.S. House Science, Space and Technology Committee in July which accused FDIC officials of understating to Congress the scope and scale of recent security breaches suffered by the regulator.

“It is also clear that the FDIC deliberately evaded congressional oversight,” the panel said when its report was released. “In addition, the committee found the FDIC has historically experienced deficiencies related to its cybersecurity posture, and those deficiencies continue to the present.”

The FDIC took little action to address lax security in spite of being hacked several times by actors presumed to be working for the Chinese government, the committee’s report said.

While the Beijing-blamed hack went largely undisclosed until the release of the panel’s report, high profile breaches suffered by banks in recent years have proven to be the result of some of the most significant cyberattacks to date. More than 100 million JPMorgan Chase customers had their account information compromised in a 2014 heist described by the Justice Department as the largest bank hack in history, and over $81 million was stolen from the Bank of Bangladesh in February through a cyberscheme involving the New York Fed.