Regulators: Banks Have 36 Hours to Report Cyber IncidentsOCC, Federal Reserve and FDIC Approve New Incident Reporting Rule
U.S. federal banking regulators have approved a new rule that will require banks to notify regulators no later than 36 hours after the organization determines it has suffered a qualifying "computer-security incident," the nation's top financial agencies announced on Thursday.
See Also: Case Study: The Road to Zero Trust
Regulators from the Department of the Treasury's Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corp., say that effective April 1, 2022 - with full compliance extended to May 1, 2022 - banking organizations must provide incident notification to the appropriate FDIC supervisory office or an FDIC-designated point of contact, within a day and a half.
"As technology has evolved, so have the cybersecurity risks with which banks must grapple," said FDIC Chairman Jelena McWilliams in a statement. "The final rule … addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations, allowing the FDIC and our fellow banking supervisors to be better positioned to understand and to respond to cybersecurity threats across the banking sector."
According to an 80-page draft rule, a "computer-security incident" is an occurrence that "results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores or transmits."
An incident requiring subsequent notification, the agencies say, is defined as a "computer-security incident" that has disrupted or degraded a banking organization's operations and its ability to deliver services to a "material portion of its customer base" and business lines.
The rule also requires banking service providers to notify at least one bank-designated point of contact at each affected customer banking organization "as soon as possible," when a service provider "determines it has experienced a computer-security incident" disrupting services for four or more hours.
"The final rule seeks to allow the banking supervisors to be informed of the most significant cyberattacks in a timely fashion while avoiding unnecessarily difficult or time-consuming reporting obligations," the FDIC's McWilliams said. "[It] therefore does not require an assessment of the incident to fulfill the notification requirement."
Experts Weigh In
The final rule incorporates the industry's recommendations to craft a requirement that provides useful information but does not overly burden financial institutions "when resources are focused" on the "disruptive event," says Denyette DePierro, vice president, cybersecurity and digital risk at the American Bankers Association.
"We look forward to working with the agencies over the next five months to further understand the requirements and clarify expectations for banks and their third-party service providers before the compliance date," she says.
Another expert praises the agencies' effort to prioritize cybersecurity.
"The joint rule demonstrates that U.S. federal regulators are becoming even more concerned about the likelihood of cybersecurity incidents in the financial sector," says Neil Jones, cybersecurity evangelist for the firm Egnyte. "The announcement also aligns with Deputy National Security Adviser Anne Neuberger's stern June 2021 warning that "All organizations must recognize that no company is safe from being targeted by ransomware."
At least one legal expert, however, is not convinced that the new rule will be entirely helpful.
"The final rule has all the earmarks of design-by-committee and a classic case of 'do something!-ism,'" says technology and cybersecurity attorney Richard Santalesa. "The definition of computer-security incident is still overly broad, even after the limited comments to the proposal (only 35) - but at least the nonexhaustive list of 'notification incidents' provides concrete examples."
"While I think the notification is a worthy goal, the 36-hour deadline is arbitrary. … More importantly, the notifications are unlikely to result in any meaningful benefit to other institutions, the government or individual consumers," says Santalesa, who is the founder of The Sm@rtedgeLaw Group. "Banking institutions are already very heavily regulated, on a national and state level."
Estimates and Examples
Regulators say in drafting the rule, they reviewed data and Suspicious Activity Reports, or SARs, filed with the Treasury Department's Financial Crimes Enforcement Network, or FinCEN, in 2019 and 2020. This review estimates that some 150 notification incidents occurred annually - though the regulators say that number could increase.
The agencies list the following "notification" examples:
- Large-scale DDoS attack disrupting account access for more than four hours;
- Bank service provider experiencing widespread system outage;
- Failed system upgrade resulting in widespread user outage;
- Unrecoverable system failure resulting in activation of a continuity or disaster recovery plan;
- Computer hacking incident disabling banking operations for an extended period of time;
- Malware on a bank's network that poses an imminent threat to core business lines or critical operations;
- Ransomware attack that encrypts a core banking system or backup data.
Upside for Financial Agencies?
The financial regulators contend that if the incident is isolated to a single organization, they may be able to "facilitate requests for assistance" to minimize impact, which may be particularly beneficial to under-resourced banks.
If the incident is more widespread, they say, agencies could alert other banking organizations, recommend measures to better manage the incident or help coordinate incident response.
Information provided as part of the notification process, they say, is subject to confidentiality rules - providing protections for confidential, proprietary, examination/supervisory, and sensitive personally identifiable information.
The agencies estimate that, with notification, banks may incur up to three hours of labor cost to coordinate internal communications, consult with service providers and notify regulators.
At the congressional level, earlier this month, Rep. Patrick McHenry, R-N.C., the top Republican on the House Financial Services Committee, introduced new legislation - the Ransomware and Financial Stability Act - that outlines processes for financial institutions to respond to ransomware attacks.
If enacted, it would require U.S. financial organizations to notify FinCEN with related details and attackers' ransom demands.