Starting May 1, FDIC-supervised banking organizations will need to comply with new reporting rules regarding cyber security incidents.
In November, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (OCC) issued a final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers. Part of the implementation of the final rule was delayed until April 1 and its full implementation is expected May 1.
The new rule will inform agencies of emerging threats to banking organizations and the financial system, including potential systemic cyber events.
Under the new rules, banks will be required to notify the FDIC as soon as possible and no later than 36 hours after the bank learns an incident has occurred. The rule defines a computer-security incident as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
For example, banks should notify incidents that include a major computer-system failure, a cyberattack, a ransomware attack or another type of operational interruption.
The rule also requires a banking service provider to notify the bank-designated point of contact of any computer-security incident that has disrupted or degraded or is likely to disrupt or degrade the banking organization for four hours or more.
Governments worldwide are enacting new legislation requiring companies to report cyber-related incidents to test the resilience of critical infrastructure.
On March 15, President Joe Biden signed into law the Cyber Incident Reporting For Critical Infrastructure Act of 2022, creating new rules requiring U.S. critical infrastructure entities (including financial services, energy, defense industrial bases) and federal agencies to report cybersecurity incidents within 72 hours of the incident and within 24 hours if a ransomware payment was made.
The act establishes a minimum reporting standard for “covered entities,” which — according to the President Policy Directive 21 — include companies in the communication sector, financial services sector, information technology sector and 13 other sectors considered critical infrastructure. One sector that is not clearly included or excluded from the list of 16 critical infrastructure sectors is crypto and central bank digital currencies. Still, given the importance to national security that President Biden gave to digital assets in his Executive Order issued on March 9, companies in this space may also decide to observe these new reporting requirements.
The legislation includes enforcement mechanisms to ensure compliance with the new reporting requirements. The CISA may issue subpoenas to companies it believes have experienced a cyber incident or made a ramson payment. If a company fails to comply with the subpoena, it may face civil lawsuits to seek enforcement.
Read More: US Cybersecurity Law Increases Reporting Duties For Most Firms
Two weeks later, on March 28, the European Union proposed new rules to establish common cybersecurity and information security measures across EU institutions and reinforce the EU Agency for Cybersecurity. This law also complemented the Digital Operational Resilience Act (DORA), a law proposed by the European Commission that aims to establish uniform requirements for the security of networks and information systems in the financial sector. The purpose of the law, which is part of a bigger EU digital finance package, is to make the financial sector more resilient and better prepared for cyber threats and other information and communication technology (ICT) risks.
Read More: EU to Boost Cybersecurity Rules as Risk of Cyberattacks Looms