Speeches & Testimony
Statement of Martin J. Gruenberg Chairman, Federal Deposit Insurance Corporation Joint Advance Notice of Proposed Rulemaking: Enhanced Cyber Risk Management Standards
October 19, 2016
The FDIC Board today is considering a joint Advance Notice of Proposed Rulemaking – developed in coordination with the Office of the Comptroller of the Currency and the Federal Reserve Board -- to advance the development of enhanced cyber risk management standards for the largest and most interconnected entities under their respective supervisory jurisdictions, and those entities’ service providers.
This ANPR would build on the existing framework of information technology guidance already in place. The enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experienced by one of these entities.
To meet these goals, the ANPR addresses five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
As a general rule, the agencies are considering applying the enhanced standards on an enterprise-wide basis to U.S. bank holding companies, U.S. operations of foreign banking organizations, and U.S. thrift holding companies, as well as banks and thrifts that meet the $50 billion threshold on a consolidated basis or perform an activity that is deemed to be critical to the financial sector. The agencies also are considering applying the standards to services provided by third parties to depository institutions and their affiliates that are covered entities.
Separately, the Federal Reserve Board is considering applying the standards to FSOC-designated nonbank financial companies and financial market utilities, as well as other financial market infrastructures subject to Federal Reserve supervision.
In addition to the size and activity thresholds for coverage, the ANPR discusses a possible two-tiered approach for an additional, higher set of expectations that would apply to those systems of covered entities that are critical to the financial sector.
The ANPR would not apply to community banks. They, and other institutions not covered by the ANPR, would continue to be subject to current generally applicable guidance and standards.
I support the issuance of this ANPR to initiate further discussion of how to manage these cyber issues. I look forward to reviewing the comments submitted in response to the ANPR. I would like to thank FDIC staff, and staff at the Federal Reserve and OCC for their work on this important and timely matter.