Farm Credit Cybersecurity

New Rules Require FCS Institutions to Meet Stricter Cyber Standards

The Farm Credit Administration approves new rules on cyber risk management. (Farm Credit Systems logo)

Farm Credit Systems (FCS) institutions will be required to meet stricter cyber risk management rules under a revision to rules announced by the Farm Credit Administration.

In general, the rule says that: "System institutions must engage in appropriate risk management practices to ensure safety and soundness of their operations. A System institution's board and management must maintain effective policies, procedures, and controls to mitigate cyber risks. This includes establishing an appropriate vulnerability management program to monitor cyber threats, mitigate any known vulnerabilities, and establish appropriate reporting mechanisms to the institution's board and FCA."

The changes, which go into effect in January 2025, will require each FCS institution to implement a "comprehensive, written cyber risk management program consistent with the size and complexity of the institution's operations." This program should ensure the security and confidentiality of current, former, and potential customer and employee information.

Each year, the board for the institution will have to approve its cyber risk program, making sure it's consistent with industry standards. This would include an annual risk management review of internal and external factors likely to affect the institution, which could result in unauthorized disclosure, misuse, alteration, or destruction of current, former, and potential customer and employee information.

The changes, approved Sept. 25, 2023, revise parts of 12 CFR Part 609, governing electronic commerce.

Board chairman of the FCA and CEO, Vincent Logan, said the changes "will strengthen the System's ability to detect, monitor, and manage risks that threaten its mission to provide a safe, sound, and dependable source of credit for our nation's farmers, ranchers, and rural communities. The rule will also create opportunities for institutions to innovate while working in a changing and challenging electronic environment."

Under the rule, each board-approved cyber risk management plan must require the institution to assess internal and external risk factors, identify potential systems and software vulnerabilities, establish a risk management program for identified risks, develop a cyber risk training program, set policies for managing third-party relationships, maintain robust internal controls, and establish institution board reporting requirements.