Federal Banking Agencies Solicit Comments on Enhanced Cyber Risk Management Standards: Once Established, Enhanced Cyber Risk Standards Would Apply to “Large and Interconnected” Banking Organizations and Certain Non-Bank Service Providers

Sullivan & Cromwell LLP - October 21, 2016

On October 19, 2016, the Board of Governors of the Federal Reserve System (“the Board”), the Office of the Comptroller of the Currency (“the OCC”), and the Federal Deposit Insurance Corporation (“the FDIC”, and the three agencies collectively, “the Agencies”) jointly issued an advance notice of proposed rulemaking (“the ANPR”) soliciting public comment on enhanced cyber risk management standards.  The Agencies are considering enhanced standards designed to increase the operational resilience of large and interconnected entities under their supervision and certain of their service providers and to reduce the potential impact of a cyber-attack or other cyber-related failure on the financial system.  Once established, the enhanced standards would be integrated into the Agencies’ existing IT supervisory framework.  The Agencies are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of entities that are critical to the functioning of the financial sector.  The Agencies plan to use the information collected through the ANPR to develop a more detailed proposal and have pledged to invite public comment on such proposal before adopting any final rule.