Under a new cybersecurity incident notification rule, banks in the United States will be required to notify federal regulators of any cybersecurity incidents within 36 hours of discovering it. The rule takes effect April 1, 2022, although enforcement will not begin until May 1.
The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) announced the final version of the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers on Nov. 18.
FDIC-supervised financial organizations will need to notify the FDIC-designated point of contact via email, telephone, or other similar methods "as soon as possible and no later than 36 hours" after the organization has determined that a security incident "that rises to the level of a notification incident" has occurred. Bank service providers will also be required to report incidents to banks in case of incidents where banking services are disrupted for more than four hours.
Under this rule, "security incidents" refer to any event that result in actual harm to the confidentiality, integrity or availability of information systems.
"Notification incidents," on the other hand, are events that cause serious disruption to operations, prevent the bank from delivering its products and services, or pose a risk to the financial sector’s stability. Examples include computer failures as well as distributed denial-of-service and ransomware attacks.
Existing guidance instructs banks to notify their primary regulator "as soon as possible" about incidents of unauthorized access to sensitive customer data. This new rule formalizes what that "as soon as possible" means. It also expands the guidance to cover incidents in which no customer data is exposed.
The rule requires the financial entities to just inform regulators that something had happened during this timeframe. A full assessment or analysis are not required as part of informing regulators, and can follow after 36 hours had elapsed. That is an important distinction as many organizations may not have a complete picture of what had happened that quickly.
Banks are still required to file suspicious activity reports (SAR) up to 60 days after discovery of an incident.
This rule was initially proposed by the FDIC and OCC back in December 2020. The rule "provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur," FDIC Chairman Jelena McWilliams said in a statement at the time.