Oct 7, 2023Farm Credit Administration approves final rule on cyber risk management
The Farm Credit Administration (FCA) board has approved a final rule on cyber risk management. The rule requires each System institution to develop and implement a comprehensive, written cyber risk management program.
Approved by notational vote on Sept. 25, the final rule revises parts of 12 CFR Part 609, which governs electronic commerce. Notational votes are actions the FCA board takes between board meetings. The final rule becomes effective Jan. 1, 2025.
“Since becoming FCA board chairman and CEO last year, two of my top priorities have been good governance and innovation, and this final rule reflects those priorities,” said Chairman Vincent Logan. “It will strengthen the System’s ability to detect, monitor, and manage risks that threaten its mission to provide a safe, sound, and dependable source of credit for our nation’s farmers, ranchers, and rural communities. The rule will also create opportunities for institutions to innovate while working in a changing and challenging electronic environment.”
Board-approved cyber risk management plan requirements
According to the rule, each institution’s board-approved cyber risk management plan must require the institution to take the following actions:
- Assess internal and external risk factors
- Identify potential systems and software vulnerabilities
- Establish a risk management program for the risks identified
- Develop a cyber risk training program
- Set policies for managing third-party relationships
- Maintain robust internal controls
- Establish institution board reporting requirements
- Furthermore, each institution’s plan should be consistent with the institution’s size, risk profile and the complexity of its operations.
“Representing a major update of FCA’s technology regulations, this final rule will strengthen cybersecurity and cyber risk management practices at System institutions,” said Chairman Logan. “I want to thank the institutions and the public for providing constructive feedback during the comment period.”