The FDIC, FRB, and OCC today released a joint ANPR requiring enhanced cyber risk management at large banks and holding companies, FBOs over the $50 billion threshold, designated SIFIs, financial market utilities (FMUs), and financial market infrastructure (FMIs) supervised or operated by the Federal Reserve.  All of these entities would also need to ensure that any firm providing critical services is also cyber-resilient in accordance with these standards.  The ANPR is striking first in its coverage of designated SIFIs and FMUs – to date, the FRB has largely exempted these institutions from the rules governing BHCs with assets over $50 billion or focused specifically on supervisory matters.  In addition, the FRB has never covered itself by like-kind prudential standards.  The sweeping approach of this rule clearly reflects the scope of the cybersecurity threat perceived by federal regulators at institutions and third parties, Treasury’s commitment to action at the recent G7 meeting, and SWIFT-related embarrassments at the FRB.

The full report is available to retainer clients. To find out how you can sign up for the service, click here.