The Atlanta Journal-Constitution

Regulators plan to tighten banks’ cyber defenses

Fed chief says industry needs to pay attention to ‘significan­t threat.’

WASHINGTON — Federal regulators are looking to set up new standards for big banks’ planning and testing for possible cyberattac­ks. The aim is to bolster the banking industry’s defenses amid concern over periodic security breaches at U.S. banks.

The move announced Wednesday by the Federal Reserve, the Federal Deposit Insurance Corp. and a Treasury Department banking agency is designed to get banks’ senior executives and directors to pay closer attention to cybersecur­ity, agency officials said.

Fed Chair Janet Yellen has said that cybercrime is a “very significan­t threat.”

The proposal, open to public comment for three months, would apply to banks with $50 billion or more in assets. That would affect several dozen major banks and a few big insurance companies, all deemed to be so interconne­cted with the financial system that a cyberattac­k against one of them could shake the system’s stability.

In a stunning incident early this year, hackers diverted $101 million from the Bangladesh central bank’s account at the New York Federal Reserve.

The theft amplified worries about the security of the SWIFT global money-transfer system, which is overseen by the Fed and other central banks. Belgium-based SWIFT, formally the Society for Worldwide Interbank Financial Telecommun­ication, is a cooperativ­e that manages the internatio­nal transfer system among banks. The hackers in the Bangladesh bank case apparently got the money by stealing the central bank’s SWIFT access codes.

The rules proposed by the three agencies would pile on a second set of stricter standards for big banks’ computer systems that are considered critical to the functionin­g of the financial industry.

The banks should establish goals for how long it would take them to recover from a cyberattac­k, and should assess the potential for malware or corrupted data to spread through connected computer systems, the regulators said.

The proposal doesn’t require the banks to submit their cybersecur­ity plans for approval or to notify the regulators if they suffer a data breach.

Beyond their oversight of banks’ efforts, the agencies themselves have suffered some serious security breaches. Computers at the Fed were penetrated dozens of times between 2011 and 2015, according to House lawmakers. The breaches raised concerns about the Fed’s ability to safeguard sensitive financial informatio­n in its computer systems, the lawmakers said.