U.S. financial regulators have approved a new rule that requires banking organizations to report any “significant” cybersecurity incident within 36 hours of discovery.
Under the rule, banks must inform their primary federal regulator about incidents that have — or are reasonably likely to materially affect — the viability of their operations, their ability to deliver products and services, or the stability of the U.S. financial sector. That could include large-scale distributed denial of service (DDoS) attacks that disrupt customer access to banking services, or computer hacking incidents that disable banking operations for extended periods of time.
Additionally, banks — which the rule defines as “banking organizations” including national banks, federal associations, and federal branches of foreign banks — must notify customers “as soon as possible” if the incident has or might materially affect their customers for four hours or more.
“Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as non-malicious failure of hardware and software, personnel errors, and other causes,” the Computer-Security Incident Notification Final Rule explains. “Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect banking organizations’ networks, data, and systems, and ultimately their ability to resume normal operations.”
The final rule, approved by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC), will take effect on April 1, 2022, with full compliance expected by May 1, 2022.
The FDIC told TechCrunch in a statement that the rules “would apply to only those entities that are insured or regulated by the three banking agencies (FDIC, Federal Reserve or Office of the Comptroller of the Currency), or organizations that provide services to a regulated bank.”
Financial regulators first proposed the notification requirement in December, but after receiving some negative feedback from industry groups, it was forced to change some elements of the final rule. The original version, for example, said that banks would have to report incidents if they “believed in good faith” they had suffered a significant cyber incident, but the industry warned that this could lead to over-reporting of a wide range of incidents, and the rule was changed.
“After considering the comments carefully, the agencies are replacing the ‘good faith belief’ standard with a banking organization’s determination,” the final rule summary states. “The agencies agree with commenters who criticized the proposed ‘believes in good faith’ standard as too subjective and imprecise.”
The Bank Policy Institute, one of the industry groups that had commented on the regulation, said in a statement that it supported the final rule.
“BPI recognizes the value of timely notification and supports the final rule, which establishes a clear timeline and flexible process for notifying regulators and affected parties when a significant incident occurs,” said Heather Hogsett, BPI’s senior vice president of Technology and Risk Strategy. “The rule also importantly maintains a clear distinction between notification and reporting. Cyber incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident.”
Updated with comment from the FDIC.