New Rule Requires Banks to Report Cyber Incidents to Government
Financial regulators have introduced a new rule that requires banks to report major cybersecurity incidents to federal officials within 36 hours. The rule will take effect on May 2022.
The Computer-Security Incident Notification for Banking Organizations and Their Bank Service Providers was created by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. It directs banks to report incidents such as ransomware, denial-of-service attacks and other cyberattacks that could affect customers’ ability to access their accounts or impact the larger financial system, CyberScoop reported.
The reporting requirement was first introduced in December 2020 and was met with criticism from industry groups. Organizations argued that the original rule would have led to over-reporting of cases because it required banks to report to officials if they believe that they have been attacked rather than report if they confirmed that an attack took place. The proponents agreed that the original reporting requirement had a subjective basis and made changes accordingly.
The rule also includes information on when banks must report cyber incidents to their customers.
Heather Hogsett, senior vice president for technology and risk strategy at the Bank Policy Institute, said cyber incident reporting would improve collaboration between financial institutions and regulators and enhance risk awareness in the financial sector. She added that the rule would allow banks to better respond to and investigate cyberattacks.
Tags: Bank Policy Institute banks CyberScoop cybersecurity cybersecurity incidents Federal Deposit Insurance Corporation Federal Reserve System Heather Hogsett Office of the Comptroller of the Currency reporting rule