US financial regulators have approved a new rule that requires banks to report “serious” cybersecurity incidents within 36 hours of their discovery.
Under this rule, banks are informed of federal supervisors of cases that have or are likely to have a significant impact on the feasibility of their operations, their ability to provide goods or services, or the stability of the US financial sector. I have to report. Targets include large-scale DDoS (Distributed Denial of Service) attacks that block customers’ access to banking services, and computer hacking cases that disable banking operations for extended periods of time.
In addition, a bank (defined by this rule as a “banking organization” that includes national banks, federal associations, and federal branches of foreign banks) will, or will give, if the incident has had a significant impact on the customer for more than four hours. Customers should be notified “as soon as possible” if there is a possibility.
“Computer security incidents can be caused not only by destructive malware and malicious software (cyber attacks), but also by non-malicious hardware and software failures, human error, and other causes.” , Computer Security Incident Notification Final Rule explains. “Cyber attacks targeting the financial services industry have increased in frequency and severity in recent years. These cyber attacks have a negative impact on banks’ networks, data and systems, ultimately leading to normal operations. It can even affect your ability to resume. “
Approved by the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (Board), and the Office of the Comptroller of the Currency (OCC), this final rule will come into effect on April 1, 2022 and will be complete by May 1, 2022. Compliance is required.
It’s unclear if this rule also applies to bank startups and fintech companies. TechCrunch contacted the FDIC for more information, but didn’t get an immediate response.
Financial regulators first proposed a notice requirement in December 2020, but negative feedback from industry groups forced them to change some elements of the final rule. For example, the original proposal required banks to report a case if they “in good faith” believed that they had been hit by a serious cyber case, but banks have faced significant cyber cases. The rules have changed, as the industry has warned that this could overreport a wide range of cases.
“After careful consideration of the comments, the authorities have replaced the’belief of good faith’criteria with the judgment of the banking organization,” the final rule outline states. “The authorities agree with comments that criticized the proposed’believe in good faith’criteria as subjective and too unclear.”
The Bank Policy Institute (BPI), one of the industry groups that commented on the regulation, said in a statement that it would support the final rule.
“BPI recognizes the value of timely notifications and notifies regulators and stakeholders in the event of a significant incident,” said Heather Hogsett, Senior Vice President of Technology Risk Strategy at BPI. We support a final rule that establishes a clear timeline and a flexible process for doing so. This rule is also important in that it makes a clear distinction between notifications and reports. Notifications of cyber cases are regulatory and banking. Encourage early collaboration and enable regulators to recognize situations that could have widespread impact on the entire financial system while banks are responding to and investigating cases. ” rice field.
Image Credits: Robert Alexander / Getty Images
[To the original text]
(Sentence: Carly Page, Translation:saurabh）