Final Rule Places New Cybersecurity Reporting Requirements On Banks

Last month, the Federal Reserve System's Board of Governors, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency approved a final rule that places reporting requirements on banks and banking service providers. Under this new rule, banks must report cybersecurity incidents within 36 hours to federal regulators. In addition, banking service providers must notify banks as soon as possible after suffering a computer security incident. This new rule also requires banks to inform customers of any computer security incident lasting more than four hours.

This new rule is part of a current trend of requiring critical infrastructures to report cybersecurity incidents. This rule goes into effect starting April 1, 2022, and banks are required to be in compliance by May 1, 2022. While the rule doesn't go into effect until next year, there are several ways that banks and service providers can get prepared.

1. Determine who will be responsible for reporting the incident to the regulators. Cybersecurity incidents are stressful. While the rule provides a more extended deadline than the 12-hour reporting requirement for pipelines, 36 hours is still a quick turnaround. Taking the time now to identify the person responsible will make things easier during a cybersecurity incident.
2. Update your incident response plan to include these new reporting requirements and deadlines. Each time new industry rules and regulations go into effect, it is essential to fit those requirements into your current incident response plan so that your bank can practice meeting these deadlines during tabletop exercises and internal incident response training.
3. Reach out to experts for help. Ransomware attacks and hacks by malicious actors are easy examples of computer-security incidents that must be reported. However, the reporting requirement is broad enough to include incidents that are not traditionally thought of as requiring reporting. For example, a denial-of-service attack that interferes with customers' ability to access their online accounts for half of the day could trigger reporting requirements. This is why it's essential to speak with someone that can walk you through the practical applications of this rule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.