This article originally appeared on Source link
Final Rule Places New Cybersecurity Reporting Requirements On Banks
To print this article, all you need is to be registered or login on Mondaq.com.
Last month, the Federal Reserve System’s Board of Governors,
the Federal Deposit Insurance Corporation and the Office of the
Comptroller of the Currency approved a final rule that places
reporting requirements on banks and banking service providers.
Under this new rule, banks must report cybersecurity incidents
within 36 hours to federal regulators. In addition, banking service
providers must notify banks as soon as possible after suffering a
computer security incident. This new rule also requires banks to
inform customers of any computer security incident lasting more
than four hours.
This new rule is part of a current trend of requiring critical
infrastructures to report cybersecurity incidents. This rule goes
into effect starting April 1, 2022, and banks are required to be in
compliance by May 1, 2022. While the rule doesn’t go into
effect until next year, there are several ways that banks and
service providers can get prepared.
- Determine who will be responsible for reporting the
incident to the regulators. Cybersecurity incidents are
stressful. While the rule provides a more extended deadline than
the 12-hour reporting requirement for pipelines, 36 hours is still
a quick turnaround. Taking the time now to identify the person
responsible will make things easier during a cybersecurity
- Update your incident response plan to include these new
reporting requirements and deadlines. Each time new
industry rules and regulations go into effect, it is essential to
fit those requirements into your current incident response plan so
that your bank can practice meeting these deadlines during tabletop
exercises and internal incident response training.
- Reach out to experts for help. Ransomware
attacks and hacks by malicious actors are easy examples of
computer-security incidents that must be reported. However, the
reporting requirement is broad enough to include incidents that are
not traditionally thought of as requiring reporting. For example, a
denial-of-service attack that interferes with customers’
ability to access their online accounts for half of the day could
trigger reporting requirements. This is why it’s essential to
speak with someone that can walk you through the practical
applications of this rule.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Finance and Banking from United States