BusinessMarketWatchTrends

US banks must soon report significant cybersecurity incidents within 36 hours

US financial regulators have approved a new rule that requires banking organizations to report any “significant” cybersecurity incident within 36 hours of discovery. 

Under the rule, banks must inform their primary federal regulator about incidents that have — or are reasonably likely to materially affect — the viability of their operations, their ability to deliver products and services, or the stability of the US financial sector. That could include large-scale distributed denial of service (DDoS) attacks that disrupt customer access to banking services, or computer hacking incidents that disable banking operations for extended periods of time.Banks ordered to promptly flag cybersecurity incidents under new U.S. rule | Reuters

Additionally, banks — which the rule defines as “banking organizations” including national banks, federal associations, and federal branches of foreign banks — must notify customers “as soon as possible” if the incident has or might materially affect their customers for four hours or more.

“Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as non-malicious failure of hardware and software, personnel errors, and other causes,” the Computer-Security Incident Notification Final Rule explains. 

“Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect banking organizations’ networks, data, and systems, and ultimately their ability to resume normal operations.”

The final rule, approved by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) will take effect on April 1, 2022, with full compliance expected by May 1, 2022.US Banks Will Be Required to Report Cyberattacks Within 36 Hours

It’s unclear whether the rule will also apply to banking startups and fintech companies. TechCrunch contacted the FDIC for more but did not immediately hear back.

Financial regulators first proposed the notification requirement in December, but after receiving some negative feedback from industry groups, it was forced to change some elements of the final rule.

The original version, for example, said that banks would have to report incidents if they “believed in good faith” they had suffered a significant cyber incident, but the industry warned that this could lead to over-reporting of a wide range of incidents, the rule was changed 

“After considering the comments carefully, the agencies are replacing the ‘good faith belief’ standard with a banking organization’s determination,” the final rule summary states. “The agencies agree with commenters who criticized the proposed ‘believes in good faith’ standard as too subjective and imprecise.”

The Bank Policy Institute, one of the industry groups that had commented on the regulation, said in a statement that it supported the final rule.New rule requires cybersecurity issues to be reported within 36 hours - Protocol — The people, power and politics of tech

“BPI recognizes the value of timely notification and supports the final rule, which establishes a clear timeline and flexible process for notifying regulators and affected parties when a significant incident occurs,” said Heather Gogsett, BPI’s senior vice president of Technology and Risk Strategy.

“The rule also importantly maintains a clear distinction between notification and reporting. Cyber incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident.”

Source: TechCrunch

Related Articles

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker