Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday.
Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system.
The rule, dubbed the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was cemented by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. There is currently no specific window that banks must repot such incident to the agencies in question.
The final approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on leading pipeline, rail and air transport companies.
The 36-hour timeline for banks falls between the leading proposals on Capitol Hill at around 72 hours, and the TSA rules at 12 hours.
Banking regulators first proposed the requirement in December, and this spring industry groups criticized some elements of it. They won concessions in the final version of the rule.
For instance, the original version said that banks would have to report incidents if they “believe[d] in good faith” they had suffered a significant cyber incident. Banking industry organizations said that could lead to over-reporting of a wide range of incidents, rather than cases where they had definitively determined that something had happened.
“After considering the comments carefully, the agencies are replacing the ‘good faith belief’ standard with a banking organization’s determination,” the final rule summary states. “The agencies agree with commenters who criticized the proposed ‘believes in good faith’ standard as too subjective and imprecise. Accordingly, the agencies have removed the good faith language from the definition of ‘notification incident’ and have substituted a determination standard in the final notification requirement.”
The Bank Policy Institute, one industry group that had commented on the regulation, said Thursday that it supported the final rule.
“Cyber-incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident,” said Heather Hogsett, BPI’s senior vice president for technology and risk strategy.
Besides requirements for reporting to federal officials, the rule also spells out when banks must report cyber incidents to customers.
The Securities Industry and Financial Markets Association on Thursday announced that it had completed its latest cybersecurity exercise with 900 participants.
“The financial services industry is a top target, facing tens of thousands of cyberattacks each day,” said Kenneth Bentsen, CEO and president of the group. “Enhanced harmonization of regulatory standards and supervision, to reduce the amount of duplicative or redundant rules, would help enable firms to devote more resources to security and better protect investors.”