Prudential regulators announced on Wednesday that they intend to formulate new cybersecurity rules for the country’s largest banks.
Three major agencies said that they plan on formally proposing the guidelines in January, and welcomed public comment, per standard procedure.
The Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve are administering the push. In an advance notice of the proposal, they stated that efforts will focus on “cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.”
Only banks with more than $50 billion in assets would be forced to comply. The threshold is the same as the “Systemically Important Financial Institution” (SIFI) designation under Dodd-Frank, which triggers enhanced rules for the country’s largest banks.
“The [proposal] would not apply to community banks,” FDIC Chair Martin Gruenberg said in a statement. “They, and other institutions not covered by the [proposal], would continue to be subject to current generally applicable guidance and standards.”
Banking regulators have been paying increased attention to cybersecurity this year, independent of claims by the Obama administration and the Hillary Clinton campaign about Russian hacking, allegedly conducted to influence the Presidential election.
JP Morgan and Morgan Stanley, two SIFIs, have recently suffered major data breaches. As has the FDIC itself, Phys.org noted in July. And those intrusions came amid multi-million dollar thefts online from banks in Bangladesh, the Philippines, Vietnam and Ecuador.
In recent weeks, the Commodities Futures Trading Commission (CFTC) finalized a separate set of new rules on cyber defenses, for central nodes of financial markets.
“They require the core infrastructure in our markets—that is, the exchanges, clearinghouses, trading platforms, and trade repositories—to regularly evaluate cyber risks and test their cybersecurity and operational risk defenses,” CFTC Chair Timothy Massad noted on Tuesday.
“We are also continuing to make cybersecurity a priority in our examinations,” he added.