The agencies said they are considering three main approaches to implementing the standards:
- proposing minimum requirements for a cyber risk governance framework, similar to previous interagency supervisory guidelines
- proposing regulations containing specific cyber risk management standards in five categories
- cyber risk governance;
- cyber risk management;
- internal dependency management;
- external dependency management;
- and incident response, cyber resilience and situational awareness;
- proposing standards that include specific objectives in each category
Possible objectives in the aforementioned categories would include:
- a written, board-approved, enterprise-wide cyber risk management strategy and risk appetite;
- “adequate” board expertise in cybersecurity;
- senior cybersecurity managers who report independently to the board;
- assessments of cybersecurity risk management at the business unit level;
- cyber risk built into an independent risk management function;
- inventories of all internal and external assets that affect cyber risk management;
- real-time monitoring of external dependencies; and
- transition and backup plans in the event of a successful cyber-attack.
Along with bank members of the Financial Services Information Sharing and Analysis Center, ABA has been leading cooperative, private-sector efforts to improve the cyber-resilience of the financial system. ABA will carefully review the proposal and provide comments by Jan. 17, 2017.
Read the proposal.