Federal bank regulatory agencies in the United States have adopted a new rule requiring banks to notify their principal federal regulators within 36 hours of severe computer-security problems. Banks are obliged to report large cyberattacks if they have had or will have a significant impact on their operations, capacity to offer banking goods and services, or the stability of the US financial sector.
If a cyberattack has substantially harmed or will likely affect consumers for four hours or longer, bank service providers will be required to warn customers “as quickly as feasible.” Large-scale distributed denial of service cyberattacks that interrupt customer account access to banking services or computer hacking incidents that shut down banking operations for lengthy periods are examples of occurrences that must be notified under the new regulation.
According to the Computer-security Incident Notification Final Rule, computer-security events can be caused by harmful malware or malicious software (cyberattacks), as well as non-malicious hardware and software failures, personnel errors, and other factors. In recent years, cyberattacks in the financial services industry have escalated in regularity and intensity. Cyberattacks against financial institutions’ networks, data, and systems can hurt their capacity to restore normal operations.
On Thursday, Federal Deposit Insurance Corporation (FDIC) made an announcement that it will offer supervised institutions with procedures for FDIC notification in early 2022. The new cyberattack reporting requirement aims to raise banking supervisors’ knowledge of potential threats to banking institutions and the US financial system. As a result, federal bank regulatory authorities will respond to these growing and accumulating concerns before they become systemic.
FDIC Chairman Jelena McWilliams said that the final rule aims to allow financial supervisors to be alerted of the most significant cyberattacks on time while avoiding overly burdensome or time-consuming reporting duties. As a result, the final rule eliminates the need for an incident assessment to satisfy the notification requirement.
If enacted into law, this recently filed measure will require US financial institutions hit by ransomware attacks to alert the Director of the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) with data on the attack and related ransom demands.