Regulators propose stricter cybersecurity rule for big banks
WASHINGTON — Federal regulators have a new reason to worry that some banks might be too big to fail — cybersecurity.
Collectively, these bank regulators Wednesday put out a notice of proposed rulemaking that, if enacted, would subject the nation’s largest banks to enhanced cyber risk management standards.
“Specifically, the agencies are considering a requirement that covered entities develop a written, boardapproved, enterprise-wide cyber risk management strategy that is incorporated into the overall business strategy and risk management of the firm,” they wrote in the proposed rule.
The recent hacks of the Democratic National Committee and of the email accounts of Hillary Clinton’s campaign chief John Podesta have served to highlight cyber threats. Consumers and the financial sector today depend heavily on the internet and mobile devices for transactions and bank regulators worry that the interconnectedness of the financial system poses unique risks. Advance notice issued
The Federal Deposit Insurance Corp. issued an advanced notice Wednesday of the proposed rulemaking, and was joined by the Federal Reserve and the Office of the Comptroller of the Currency.
“Separately, the Federal Reserve Board is considering applying the standards to nonbank financial companies and financial market utilities, as well as other financial market infrastructures subject to Federal Reserve supervision,” FDIC Chairman Martin Gruenberg said in a statement.
Translation: The tougher rules and standards would apply not just to banks but many of the critical components that go into the workings of the complex web of interconnectedness that is the financial system.
Under the 2010 revamp of financial regulation, which followed the near collapse of the financial sector in 2008, the largest banks were subjected to greater reporting requirements and limits on their risk taking. They escaped worse, given the talk of breaking up the largest institutions on the grounds that they were so big that their failure could drag down the financial system. Five areas of risk
Wednesday’s proposed rule addresses that concern about the largest banks. It generally applies to institutions with assets of $50 billion or more, and doesn’t spell out specific standards. Instead, it will require these institutions to report to regulators about enhanced standards in five areas: cyber risk governance, cyber risk management, internal dependency management, external dependency management and incident response, which encompasses cyber resilience and situational awareness.
Beyond their oversight of banks’ efforts, the agencies themselves have suffered some serious security breaches. Computers at the Fed were penetrated dozens of times between 2011 and 2015, according to House lawmakers. The breaches raised concerns about the Fed’s ability to safeguard sensitive financial information, the lawmakers said.
The Chinese government, meanwhile, is believed to have hacked into computers at the FDIC in 2010, 2011 and 2013, including the workstation of then-FDIC Chair Sheila Bair, according to a congressional report. It cites a May 2013 memo from the FDIC inspector general to Gruenberg, describing an “advanced persistent threat” said to have come from the Chinese government.