New Cybersecurity Rule Prompts Banking Review

A new rule requiring banks to report cybersecurity incidents to federal regulators within 36 hours will go into effect April 1. The Federal Reserve System’s Board of Governors, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency recently approved nationwide requirements pertaining to banks and their service providers. The change also requires banks to inform customers of any computer security incident lasting more than four hours.

The issue is part of new federal reforms and a focused effort to strengthen cybersecurity. In a joint press release issued by all three agencies, federal regulators report “Notification is required for incidents that have materially affected – or are reasonably likely to materially affect – the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.”

May 1 is the deadline for banks and financial service providers to prepare critical infrastructure for compliance. Although the change does not go into effect for nearly six months, now is the ideal time to prepare.

Here are three key questions to ask to help your organization plan ahead:

  • Who will be responsible for reporting the incident to federal regulators? Designate the employee responsible for gathering information and making the report. Take the time now to identify response procedures. Cybersecurity incidents are often stressful and 36 hours can feel like a short turnaround for detailed compliance on an important federal matter. Detailing who should be in charge of documenting the issue and reporting it can streamline the process, especially in an emergency situation.
  • Is your incident response plan up-to-date? Be sure to include new reporting requirements and related deadlines. Plan for how to respond in case of a cyberattack with tabletop exercises and internal incident response training. Practice how to outline detailed information to satisfy the requirements.
  • What is considered a qualifying incident and who can you contact for help? Although ransomware attacks and acts of intentional hacking are clear-cut examples of qualifying incidents, the new requirement is broader than past situations. Incidents not previously taken into account may now be considered. A denial-of-service attack interfering with customers’ ability to access their online accounts for more than four hours, for example, could trigger reporting requirements. Know who handles regulatory compliance in your organization and how to get in touch with them as needed.

If you have additional questions about upcoming cybersecurity requirements set to go into effect, please consult with your team’s management and legal teams.

This article first appeared in The Journal Record on January 7, 2022, and is reproduced with permission from the publisher.