The Farm Credit Administration (FCA) final rule goes into effect on January 1, 2025. If you work for a farm credit institution, what does the final rule mean for you? Let's find out.
History
In 2002, the FCA enacted a set of information-technology regulations in 12 CFR Part 609. The requirements primarily focused on e-commerce technology. As the risk landscape changed, the FCA saw a need to expand the requirements and focus on a greater cybersecurity risk management program. So, here we are.
Cyber Risk Management Program Requirements
The final rule will require farm credit institutions to create a cyber risk management program, designed to protect the security of "current, former, and potential customer and employee information."
According to the final rule, the cyber risk management program is expected to include the following.
|
Section |
Requirement |
Institutions are required to: |
|
609.930(c)(1) |
Risk Assessment |
Perform an annual risk assessment that is virtually identical to a GLBA Risk Assessment. |
|
609.930(c)(2) |
Vulnerability Management |
Identify, prioritize, and remediate vulnerabilities in a "timely" manner. |
|
609.930(c)(3) |
Incident Response |
Create an incident response plan and update it at least annually. |
|
609.930(c)(4) |
Training Program |
Train – or – validate training is conducted for employees, vendors, contractors, and the board. |
|
609.930(c)(5) |
Vendor Management |
Have a vendor management policy that encompasses the key pillars of vendor management (e.g., due diligence and selection, contract negotiation, ongoing monitoring, etc.). |
|
609.930(c)(6) |
Security Testing |
Perform an audit risk assessment and have regular security testing of their own controls based on the assessment (e.g., audits, penetration tests, vulnerability assessments, etc.). |
Institutions are expected to report on the status of the cyber risk management program at least quarterly.
Learn More
Download this Farm Credit Administration (FCA) Cyber Risk Management Final Rule: Resource and Tandem Mapping to learn more about the context of the rule and see how Tandem can help. Tandem's suite of products is designed to help financial institutions achieve their compliance goals and improve cybersecurity through the development of a cyber risk management program.
Learn more about how Tandem can help you at Tandem.App.
