Newsroom

The Federal Reserve, FDIC and Office of the Comptroller of the Currency yesterday issued an initial plan and invited comments on a set of enhanced cybersecurity risk-management standards that would apply to supervised institutions that have $50 billion or more in assets.

Under the advance notice of proposed rulemaking, financial market infrastructure companies and nonbank financial companies supervised by the Fed would also fall under the rule. The proposed standards would not apply to community banks, the agencies said.

Financial firms would be required to develop and maintain a cyberrisk management plan under the proposed standards. Banks would also have to use the cyberrisk management strategies in their business units and company audits.

Also under the proposal, institutions would be required to establish and employ a plan that would allow them to continue to perform core business functions during a cyberattack.

The regulators said the standards would be folded into the agencies' existing information technology supervisory framework. Comments are due Jan. 17.

NCUA is not a part of this proposed standard, but has noted that cybersecurity is and will likely remain an exam priority for credit unions.