Publications & Events

Regulators Diverge on How Best to Manage Growing Cybersecurity Risks

On October 19, the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (the Agencies) issued an advance notice of proposed rulemaking (ANPR) seeking to enhance cyber risk management standards at large financial institutions via implementation of nearly 80 separate cybersecurity-related requirements.1

The ANPR, which solicits public comment on 39 multi-part questions,2 was issued four weeks after the New York State Department of Financial Services (NYDFS) proposed its own rule requiring New York statelicensed entities to adopt specific cybersecurity protections (NY Proposal).3 While the ANPR solicits comment, the NY Proposal is scheduled to become effective in January 2017.

Although both the ANPR and NY Proposal would heighten regulatory expectations and require covered institutions to enhance controls to manage cybersecurity risks, the proposals differ significantly in approach. The ANPR sets forth a more fluid, principles-based framework of cybersecurity controls, whereas the NY Proposal details specific, proscriptive cybersecurity requirements for covered institutions. The ANPR envisions a rule requiring covered financial institutions to incorporate cybersecurity controls in all aspects of their existing risk management procedures, allowing them to customize compliance approaches. In contrast, the NYDFS rule would require covered entities to implement specific technologies and actions to contain cybersecurity risks, and imposes a significantly more rigorous and aggressive compliance regime.


Click here to download PDF.


1 See:
2 Appendix A, attached below, lists every requirement and recommendation in the ANPR.
3 The New York State Department of Financial Services is the state regulator for banks, money transmitters, lenders, and insurance companies that operate in New York. See:


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP