In part one of our two part blog series, we will review and discuss the cyber ANPR for Financial Institutions.
On October 19, 2016, the three regulatory banking agencies, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve (FRB) jointly approved and announced an advance notice of proposed rulemaking (ANPR). This enhanced cyber risk management standard not only applies to financial institutions large in scale, but interconnected agencies under their supervision and services provided to them by third parties. As invited by the regulatory bodies, comments will be due by January 17, 2017.
From a broad standpoint, the ANPR will set significantly higher standards for a broad set of US based organizations:
- US banks, bank holding companies, foreign banking organizations, and savings and loan holding companies with assets over $50BN
- Non-bank financial institutions designated as systemically important by the Financial Stability Oversight Counsel (FSOC)
- FRB-regulated financial market intermediaries and FSOC-designated financial market utilities
- Services provided by third parties to a covered entity
From a high level the ANPR contains 80+ discrete questions, poses 39 queries to industry specific participants, creates a guideline to implement, from an overall regulation with direction on highly detailed objectives and requirements spanning five categories and requests that banks specifically provide comments.
The five categories of cyber risk management discussed in the ANPR are:
- Cyber risk governance
- Cyber risk management
- Internal dependency management
- External dependency management
- Incident response, cyber resilience and situational awareness
Cytegic has noticed and continues to notice a trend for regulation throughout the globe, spanning multiple industries and expects to see regulation increase and tighten moving forward. If your organization is affected by the ANPR and you would like to learn more about the proposed items, the immediate actions you should take and learn how Cytegic can help, please click here or contact a trusted representative at email@example.com.
Stay tuned next week for part two, which will discuss and review the three approaches and how your organization can leverage Cytegic to meet the requirements of the cyber ANPR.