US financial regulators have just announced banking organisations will be required to report any cyber security incident that registers as “significant” within 36 hours of discovering this.
The rule, approved by a list of governing bodies including the Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve System (Board) will officially come into effect on the 1st of April 2022.
Banking organisations under the rule are defined as national banks, federal associations and federal branches of foreign banks. Aka, those insured or regulated by the three key US banking agencies, the FDIC, the Federal Reserve and the Office of the Comptroller of the Currency.
Organisations that provide services to a regulated bank are also subject to the law.
What is confusing some is the rule’s emphasis on “significant” cyber incidents. What is considered “significant” in the context of this rule?
Well, the rule defined a “significant” cyber security incident as an event that could disrupt the stability of the US financial sector, the viability of the organisation's operations or their ability to carry out services and deliveries.
Under this definition, ransomware attacks and distributed denial of service (DDoS) attacks are counted as “significant” incidents due to their ability to disrupt operations and limit customer access to services.
Not only are these organisations required to report such incidents within 36 hours to authorities, but they are also required to report them to customers. In particular, if they are likely to impact their customers for four hours or more.
The rule has been changed a lot by US financial regulators since they first proposed it back in December.
Initially, the rule said that banks were required to report incidents if they “believed in good faith” they had suffered a significant cyber incident. However, they were met by industry group backlash when they pointed out this could lead to over-reporting on a wide range of security incidents.
In response, the regulators changed this to include an emphasis on attacks described as “significant” only.
This rule implementation comes alongside growing legal changes in Western countries towards how cyberattacks are handled. With attacks on banks like HSBC and 70% of the UK financial sector suffering cyber attacks in 2020, I imagine we will see a similar rule implemented here in due course.