The Farm Credit Administration (FCA) final rule goes into effect on January 1, 2025. If you work for a farm credit institution, what does the final rule mean for you? Let's find out.

History

In 2002, the FCA enacted a set of information-technology regulations in 12 CFR Part 609. The requirements primarily focused on e-commerce technology. As the risk landscape changed, the FCA saw a need to expand the requirements and focus on a greater cybersecurity risk management program. So, here we are.

Cyber Risk Management Program Requirements

The final rule will require farm credit institutions to create a cyber risk management program, designed to protect the security of "current, former, and potential customer and employee information."

According to the final rule, the cyber risk management program is expected to include the following.

Section

Requirement

Institutions are required to:

609.930(c)(1)

Risk Assessment

Perform an annual risk assessment that is virtually identical to a GLBA Risk Assessment.

609.930(c)(2)

Vulnerability Management

Identify, prioritize, and remediate vulnerabilities in a "timely" manner.

609.930(c)(3)

Incident Response

Create an incident response plan and update it at least annually.

609.930(c)(4)

Training Program

Train – or – validate training is conducted for employees, vendors, contractors, and the board.

609.930(c)(5)

Vendor Management

Have a vendor management policy that encompasses the key pillars of vendor management (e.g., due diligence and selection, contract negotiation, ongoing monitoring, etc.).

609.930(c)(6)

Security Testing

Perform an audit risk assessment and have regular security testing of their own controls based on the assessment (e.g., audits, penetration tests, vulnerability assessments, etc.).


Institutions are expected to report on the status of the cyber risk management program at least quarterly.

Learn More

Download this Farm Credit Administration (FCA) Cyber Risk Management Final Rule: Resource and Tandem Mapping to learn more about the context of the rule and see how Tandem can help. Tandem's suite of products is designed to help financial institutions achieve their compliance goals and improve cybersecurity through the development of a cyber risk management program.

Learn more about how Tandem can help you at Tandem.App.