A new rule requiring banks to report cybersecurity incidents to federal regulators within 36 hours goes into effect April 1. The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency recently have nationwide requirements for banks and their service providers. The change also requires banks to notify their customers of any computer security incident that lasts longer than four hours.
The issue is part of new federal reforms and a targeted effort to strengthen cybersecurity. In a joint press release from all three authorities, the federal supervisory authorities report: “Notification is required in the event of incidents that have significantly impaired the profitability of the business operations of a banking organization, its ability to provide banking products and services, or are reasonably likely to be significantly impaired. or the stability of the financial sector. “
May 1st is the deadline for banks and financial service providers to prepare critical infrastructures for compliance. While the change has only been in effect for nearly six months, now is the ideal time to prepare.
Here are three key questions to ask to help your business plan ahead:
- Who is responsible for reporting the incident to the federal supervisory authorities? Identify the person responsible for collecting information and creating the report. Take the time now to identify reaction procedures. Cyber security incidents are often stressful, and 36 hours can feel like a short turnaround time for detailed compliance with an important federal matter. Specifying who should be responsible for documenting the problem and reporting it can streamline the process, especially in an emergency situation.
- Is your incident response plan up to date? Make sure to include new reporting requirements and associated deadlines. Use tabletop exercises and in-house incident response training to plan how to respond in the event of a cyber attack. Practice sketching out detailed information to meet the requirement.
- What is a Qualified Incident and who can you contact for help? Although ransomware attacks and deliberate hacker attacks are clear examples of qualified incidents, the new requirement is broader than previous situations. Incidents that have not been taken into account so far can now be taken into account. A denial-of-service attack that compromises customers’ access to their online accounts for more than four hours, for example, could trigger reporting requirements. Know who is responsible for regulatory compliance in your company and how to contact them if necessary.
If you have any further questions about upcoming cybersecurity requirements that should go into effect, please contact the management and legal departments of your team.
* This article first appeared in The Journal Record on January 7, 2022, and is reproduced with the permission of the publisher.