On Wednesday, the OCC, Federal Reserve and the FDIC issued this joint advance notice of proposed rulemaking: "Enhanced Cyber Risk Management Standards" that would impose - among many other things - extensive cyber risk oversight obligations on the boards of directors of covered entities, as well as potentially require boards to have "adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise":
The board of directors of a covered entity would oversee and hold senior management accountable for implementing the entity's cyber risk management framework. In this regard, the agencies are considering requiring the board of directors to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. Consistent with existing agency expectations, the enhanced standards would require the board of directors to have and maintain the ability to provide credible challenge to management in matters related to cybersecurity and the evaluation of cyber risks and resilience.
As noted in Covington's memo, the scope of potential coverage is quite extensive:
- U.S. bank holding companies and saving and loan holding companies with total consolidated assets of $50 billion or more, including their non-bank subsidiaries;
- U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more;
- Non-bank financial companies designated by the Financial Stability Oversight Council and supervised by the Federal Reserve;
- National banks and federal savings associations with total consolidated assets of $50 billion or more (and national banks and federal savings associations that are subsidiaries of a parent holding company with total consolidated assets of $50 billion or more);
- Federal branches of a foreign bank that has total consolidated assets of $50 billion or more;
- State-chartered banks with total consolidated assets of $50 billion or more (and state-chartered banks that are subsidiaries of a parent holding company with total consolidated assets of $50 billion or more);
- Financial market utilities designated as systemically important by the Financial Stability Oversight Council that are supervised by the Federal Reserve;
- Financial market infrastructures that are members of the Federal Reserve or that are operated by the Federal Reserve Banks.
The Agencies also are considering applying the standards to third-party service providers with respect to services they provide to depository institutions and their affiliates that are covered entities—i.e., covered services.
See also the release and these additional memos below - which we will be posting (along with others as they trickle out) on our Cybersecurity topical page, and watch for more focused analysis in next week's Society Alert: