Last month, the Fed, OCC, and FDIC jointly issued an ANPR intended to strengthen the abilities of large, interconnected financial services organizations to prevent and recover from cyber attacks.
The ANPR goes beyond existing regulatory guidance and industry practice in several ways. For example, the proposal calls for secure offline storage of critical data and requires that critical systems are able to recover from a disruption with two hours, which will be challenging requirements for most organizations to meet. Additionally, the proposal applies directly to third party service providers, whose cyber practices are not as sophisticated as large financial services entities.
This Financial crimes observer analyzes the ANPR’s requirement, identifying key challenges.