Ron Sharon

Cybersecurity and Technology Leader

Final Rule Places New Cybersecurity Reporting Requirements On Banks – Finance and Banking

This article originally appeared on Source link


United States:

Final Rule Places New Cybersecurity Reporting Requirements On Banks


To print this article, all you need is to be registered or login on Mondaq.com.

Last month, the Federal Reserve System’s Board of Governors,
the Federal Deposit Insurance Corporation and the Office of the
Comptroller of the Currency approved a final rule that places
reporting requirements on banks and banking service providers.
Under this new rule, banks must report cybersecurity incidents
within 36 hours to federal regulators. In addition, banking service
providers must notify banks as soon as possible after suffering a
computer security incident. This new rule also requires banks to
inform customers of any computer security incident lasting more
than four hours.

This new rule is part of a current trend of requiring critical
infrastructures to report cybersecurity incidents. This rule goes
into effect starting April 1, 2022, and banks are required to be in
compliance by May 1, 2022. While the rule doesn’t go into
effect until next year, there are several ways that banks and
service providers can get prepared.

  1. Determine who will be responsible for reporting the
    incident to the regulators.
    Cybersecurity incidents are
    stressful. While the rule provides a more extended deadline than
    the 12-hour reporting requirement for pipelines, 36 hours is still
    a quick turnaround. Taking the time now to identify the person
    responsible will make things easier during a cybersecurity
    incident.

  2. Update your incident response plan to include these new
    reporting requirements and deadlines.
    Each time new
    industry rules and regulations go into effect, it is essential to
    fit those requirements into your current incident response plan so
    that your bank can practice meeting these deadlines during tabletop
    exercises and internal incident response training.

  3. Reach out to experts for help. Ransomware
    attacks and hacks by malicious actors are easy examples of
    computer-security incidents that must be reported. However, the
    reporting requirement is broad enough to include incidents that are
    not traditionally thought of as requiring reporting. For example, a
    denial-of-service attack that interferes with customers’
    ability to access their online accounts for half of the day could
    trigger reporting requirements. This is why it’s essential to
    speak with someone that can walk you through the practical
    applications of this rule.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Finance and Banking from United States