The Federal Government’s three most powerful financial regulators, The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve and the Office of Comptroller of the Currency (OCC), will propose new cybersecurity rules designed to protect financial institutions from cyberattacks. Banks with $50 billion or more in assets must adopt the most sophisticated cybersecurity and anti-hacking tools in order to be able to respond from a cyberattack within two hours, according to a recent Reuters article. The new rule will apply to roughly 40 banks as well as additional “non-bank financial companies.” While the selected firms would not be required to submit cybersecurity plans to federal regulators, agency officials claim they will monitor them for compliance.
The new rules will be divided into five separate categories. The first mandates that firms create a written risk management strategy approved by the board. Second, firms must “identify, measure, monitor, and control cyber risk consistent with the entity’s risk appetite and tolerances.” The rules also require the firms to establish an internal risk management department that coordinates with the company’s board of directors. Next, firms must also “gauge cyber risks brought on by their internal assets like company hardware and technology and external business relationships,” and lastly, the covered firms must create a formal strategy for dealing with cyber-attacks and data breaches. The rules are set to be finalized after industry input.