Stinson Leonard Street Dodd Frank

MAKING SENSE OF DODD-FRANK

The Dodd-Frank Act has broad and deep implications that will touch every corner of financial services and multiple other industries. This site, developed and maintained by attorneys at Stinson Leonard Street, is dedicated to making sense of this complex legislation and helping businesses understand how it will affect them specifically. Our Bloggers »

Dodd-Frank

Bank Regulators Issue Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards

by   |   October 19, 2016

Three federal banking regulatory agencies have approved an advance notice of proposed rulemaking (ANPR) inviting comment on a set of potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. The standards would apply as well to services provided by third parties to these firms.

The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Board. The proposed enhanced standards would not apply to community banks.

The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.

To benefit from comments on all aspects of the potential enhanced standards, the agencies are issuing an ANPR before developing a more detailed proposal for consideration. The agencies are also asking for comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments on the ANPR are due January 17, 2017.