WASHINGTON – Federal regulators are looking to set up new standards for big banks’ planning and testing for possible cyberattacks. The aim is to bolster the banking industry’s defences amid concern over periodic security breaches at U.S. banks.
The move announced Wednesday by the Federal Reserve, the Federal Deposit Insurance Corp. and a Treasury Department banking agency is designed to get banks’ senior executives and directors to pay closer attention to cybersecurity, agency officials said.
Fed Chair Janet Yellen has said that cybercrime is a “very significant threat.”
The proposal, open to public comment for three months, would apply to banks with $50 billion or more in assets. That would affect several dozen major banks and a few big insurance companies, all deemed to be so interconnected with the financial system that a cyberattack against one of them could shake the system’s stability.
In a stunning incident early this year, hackers diverted $101 million from the Bangladesh central bank’s account at the New York Federal Reserve.
The theft amplified worries about the security of the SWIFT global money-transfer system, which is overseen by the Fed and other central banks. Belgium-based SWIFT, formally the Society for Worldwide Interbank Financial Telecommunication, is a co-operative that manages the international transfer system among banks. The hackers in the Bangladesh bank case apparently got the money by stealing the central bank’s SWIFT access codes.
The rules proposed by the three agencies would pile on a second set of stricter standards for big banks’ computer systems that are considered critical to the functioning of the financial industry.
The banks should establish goals for how long it would take them to recover from a cyberattack, and should assess the potential for malware or corrupted data to spread through connected computer systems, the regulators said.
The proposal doesn’t require the banks to submit their cybersecurity plans for approval or to notify the regulators if they suffer a data breach.
Beyond their oversight of banks’ efforts, the agencies themselves have suffered some serious security breaches. Computers at the Fed were penetrated dozens of times between 2011 and 2015, according to House lawmakers. The breaches raised concerns about the Fed’s ability to safeguard sensitive financial information in its computer systems, the lawmakers said.
The Chinese government, meanwhile, is believed to have hacked into computers at the FDIC in 2010, 2011 and 2013, including the workstation of then-FDIC Chair Sheila Bair, according to a congressional report. It cites a May 2013 memo from the FDIC inspector general to agency Chairman Martin Gruenberg, describing an “advanced persistent threat” said to have come from the Chinese government — which compromised 12 computer workstations and 10 servers at the FDIC.
The issue of suspected Chinese government hacking has been sensitive since the disclosure last year of a massive breach of the U.S. Office of Personnel Management’s databases, which the U.S. believed was carried out by Chinese cyber spies. In one of the worst data breaches in U.S. history, the personal files of 21 million Americans were stolen.