Rule detail : 140482

FCrA Cybersecurity Risk Management

FCA board report on exam operations, and approved rule on cyber risk management.
Proposed Rule on Cyber Risk
Rescind and revise FCA regulations in 12 CFR 609 governing electronic commerce.
Rename Part 609 to Cyber Risk Management; establish expectations for appropriate risk management, ensure safety and soundness of system institution operations.
Require each institution to implement board-approved cyber risk management plan, maintain robust internal controls, develop technology plan, incorporate business plan.
Consultation
After 30-day congressional review, rule in federal register for 60-day comment period.
Jul. 2022 FcRA Fed Reg Proposed Rule
On Jul. 28, 2022, FCrA issued proposal in fed register; comments due Sep. 26, 2022.
Oct. 2023 FCrA Final Rule Approval
On Oct. 5, 2023, FCrA announced approval of a final rule on cyber risk management.
Requires implementation of comprehensive, written cyber risk management program.
Program must assess internal/external risk factors, identify potential systems and software vulnerabilities, establish a risk management program for the risks identified.
Must also develop cyber risk training program, set policies for managing third-parties, maintain robust internal controls, establish institution board reporting requirements.
The final rule on cyber risk management becomes effective Jan. 1, 2025.
Dec. 2023 FCrA Fed Reg Final Rule
On Dec. 11, 2023, FCrA published final Cyber Risk Management rule in federal register

Regulators	FCrA
Entity Types	Bank; Corp; CU; Thrift
Reference	88 FR 85825, 12/11/2023; NR 23-15, 10/5/2023; 87 FR 45281, 7/28/2022; RF, 6/9/2022; Citation: 12 CFR 609;
Functions	Compliance; Cyber; Financial; Legal; Product Administration; Reporting; Risk; Technology
Countries	United States of America
Category
State
Products	Banking; Corporate; Loan
Regions	Am
Rule Type	Final
Rule Date	10/5/2023
Effective Date	1/1/2025
Rule Id	140482
Linked to	N/A
Reg. Last Update	12/11/2023
Report Section	US Banking