Feds unveil sweeping cybersecurity standards for financial industry

A government plan to impose stronger cybersecurity standards on the financial industry is taking aim at a much broader number of companies in the financial sector than had been expected.

The sweeping proposal issued this week by the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency would cover not only Wall Street giants but regional banks, credit card businesses, large insurers and clearinghouses.

{mosads}The public has until January 2017 to comment on the advanced version of the plan. Regulators will then issue a formal proposal and seek more comment before publishing a final rule.

The agencies have said that the plan would target the “largest and most interconnected entities” under their oversight. Some interpreted that to mean it would be limited to firms such as Goldman Sachs or Bank of America, whose failures could bring down the economy.

Instead, the proposal is broader and would subject to tougher requirements any financial company that take deposits and has at least $50 billion in assets.

That includes some regional banks across the country and credit card businesses that offer checking or savings accounts, such as American Express and Discover Financial.

Josh Magri of the Financial Services Roundtable, an industry group with many members that fall under the plan, said it was a surprise that the agencies took such a sweeping approach.

“We thought it would be more aimed toward the largest firms,” Magri, vice president and counsel for regulation and technology at the group, said in an interview with The Hill Extra. “But the $50 billion mark pulls in some regional banks and more institutions than expected.”

A spokesperson for the Securities Industry and Financial Markets Association, whose members include banks, declined to comment, citing the need for more time to study the proposal.

The comprehensive plan highlights the desire for regulators to bulletproof the industry as companies continue to face a growing threat of sophisticated and frequent cyber attacks.

Regulators are also considering whether to apply the cybersecurity proposal to nonbanks deemed “systemically important” to the financial market. Those companies include a handful of major insurers, such as American International Group and Prudential Financial, and several clearinghouses, such as Chicago Mercantile Exchange and Options Clearing Corporation.

The plan would also apply the standards to outside vendors that provide cybersecurity services to the banks and other financial companies that are within the scope of the proposal.

The regulators want each company to have a cybersecurity strategy approved by its board of directors. Senior management would be held responsible for implementing the strategy.

The proposal would also require each company to recover from an attack within two hours to limit any consequences and curb the risks of the disruption spreading to other firms.

Martin Gruenberg, who heads the FDIC, said the “enhanced standards for large and interconnected entities would be aimed at increasing their operational resilience and reducing the impact on the financial system of a cyber event experience by one of those entities.”

See more exclusive policy content and regulatory news on our subscription-only service, The Hill Extra.