US Banks Cybersecurity Reporting Rule: 36-Hour Deadline

New Cybersecurity Reporting Rule for U.S. Banks

U.S. financial regulatory bodies have enacted a new regulation mandating that banking organizations report any significant cybersecurity incident within a 36-hour timeframe from the moment of its detection.

Incident Reporting Requirements

This rule stipulates that banks must promptly inform their primary federal regulator regarding incidents that either currently impact, or are reasonably anticipated to materially affect, the ongoing viability of their operations.

This also encompasses their capacity to consistently deliver products and services, as well as the overall stability of the financial system within the United States.

Examples of Reportable Incidents

Examples of incidents requiring notification include large-scale distributed denial of service (DDoS) attacks that interrupt customer access to banking platforms.

Furthermore, incidents involving computer hacking that result in prolonged disruptions to banking operations also fall under this reporting requirement.

Customer Notification Protocols

Banks, defined as “banking organizations” encompassing national banks, federal associations, and U.S. branches of foreign banks, are also obligated to notify customers “as soon as possible” if an incident has, or potentially will, materially impact them for a duration of four hours or more.

Scope of Cybersecurity Incidents

The Computer-Security Incident Notification Final Rule clarifies that computer-security incidents can stem from various sources.

These sources include destructive malware and malicious software (cyberattacks), as well as failures in hardware and software, human error, and other contributing factors.

Increased Cyberattack Frequency

The rule acknowledges the escalating frequency and severity of cyberattacks targeting the financial services sector in recent years.

These attacks can negatively affect banking organizations’ networks, data, and systems, ultimately hindering their ability to restore normal operational capacity.

Effective Dates

Approved by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC), the final rule became effective on April 1, 2022.

Full compliance with the new regulation is expected by May 1, 2022.

Applicability of the Rule

According to a statement provided to TechCrunch by the FDIC, the rules will apply exclusively to entities insured or regulated by the three banking agencies – the FDIC, the Federal Reserve, or the Office of the Comptroller of the Currency.

It also extends to organizations that provide services to a regulated bank.

Rule Refinements Based on Industry Feedback

While initially proposed in December, the notification requirement underwent revisions following feedback from industry groups.

The original draft stipulated reporting incidents if banks “believed in good faith” a significant cyber incident had occurred.

Addressing Subjectivity in Reporting

Industry concerns were raised that this could lead to excessive reporting of minor incidents, prompting a change to the final rule.

The final rule summary states that the agencies replaced the “good faith belief” standard with a determination made by the banking organization itself.

Commenters had criticized the proposed standard as being overly subjective and lacking precision.

Industry Support for the Final Rule

The Bank Policy Institute, an industry group that provided commentary on the regulation, issued a statement expressing its support for the final rule.

Heather Hogsett, BPI’s senior vice president of Technology and Risk Strategy, stated that BPI recognizes the importance of timely notification and supports the rule’s clear timeline and flexible process.

She further emphasized the rule’s distinction between notification and reporting, highlighting how incident notification fosters collaboration between regulators and banks.

This collaboration allows regulators to be informed of circumstances with potential systemic implications while banks focus on incident response and investigation.

This article has been updated to include a comment from the FDIC.