Bank cyber attacks spurs new safeguards

By Jesse Hamilton

Bloomberg News

US regulators plan to require banks to adopt baseline safeguards to shield themselves from cyberthreats after a series of assaults cost the industry billions of dollars and shook consumer confidence, people with knowledge of the matter said.

The Federal Reserve is leading other agencies in crafting the protections, which would be minimum standards, said the people who asked not to be named because work on the measures isn’t public. The effort stems partly from a concern that as digital breaches become more frequent and aggressive, an attack could cripple the entire financial system.

The Fed is working with the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp., the people said. Further details on the agencies’ plans couldn’t be determined, so it’s not clear whether costly efforts that lenders have already undertaken would put them in compliance with what regulators propose.

The industry has been stunned by recent computer muggings, including a February hack of Bangladesh’s central bank in which thieves made off with $81 million and the 2014 incursion of JPMorgan Chase that led to information on millions of customers being compromised. The attacks have spurred financial firms to try to fend off attacks by hiring thousands of employees to monitor threats and upgrading their technology.

The agencies’ first step would be to solicit public input on ideas for boosting banks’ defenses, which regulators would study before following up with a more formal proposal. The multistage rule process could stretch into next year.

Spokesmen for the Fed, OCC, and FDIC declined to comment.

In recent years, banking regulators’ public responses to hacks have mostly consisted of issuing guidance and industry alerts. But the escalating attacks have put pressure on them to do more, and a formal rule could give the government a greater ability to crack down on lenders it thinks aren’t doing enough to protect themselves. While the agencies years ago established information-security standards for banks, those measures were issued well before the modern threats emerged.