Key takeaways

• On October 19, 2016, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation issued an advance notice of proposed rulemaking regarding enhanced cyber risk management standards. Although the enhanced standards would apply chiefly to financial institutions with $50 billion or more in assets, the agencies have invited comment and input from stakeholders on, among other things, the scope of the standards’ application. Comments are due January 17, 2017.
• The proposed standards contemplate enterprise-wide accountability for cybersecurity, with a focus on input and oversight by senior management and boards of directors of financial institutions.
• The proposed standards also suggest that the enhanced standards might require the same levels of security for financial institutions’ third-party vendors.
• The agencies have proposed establishing two tiers of standards, with higher levels of security for systems that are critical to the entire financial sector.
• The agencies have yet to adopt a specific approach to implementing the enhanced standards, reflecting the struggle that regulators face to address a fast-moving risk area.