Ride the Lightning

Banks Required to Report Major Cyber Incidents to Feds Within 36 Hours

November 23, 2021

CYBERSCOOP reported on November 19 that banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on November 18.

Starting in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts or impact the larger financial system.

The rule, called the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was finalized by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. There is currently no specific time by which banks must report such incidents to the agencies in above.

Note well: This approval comes as Congress weighs broader reporting rules for critical infrastructure owners and operators, and as the Transportation Security Administration has begun imposing reporting requirements on leading pipeline, rail and air transport companies.

The 36-hour timeline for banks falls between the leading proposals on Capitol Hill at around 72 hours, and the TSA rules at 12 hours. Law firms, the betting money is that you will be subject to 72 hours to report major cyber incidents, though it will certainly be debated as the current proposals move forward.

There were concessions made in the initially proposed bank requirement.

The original version said that banks would have to report incidents if they “believe[d] in good faith” they had suffered a significant cyber incident. Banking industry organizations said that could lead to over-reporting of a wide range of incidents, rather than cases where they had definitively determined that something had happened.

“After considering the comments carefully, the agencies are replacing the ‘good faith belief’ standard with a banking organization’s determination,” the final rule summary states. “The agencies agree with commenters who criticized the proposed ‘believes in good faith’ standard as too subjective and imprecise. Accordingly, the agencies have removed the good faith language from the definition of ‘notification incident’ and have substituted a determination standard in the final notification requirement.”

Besides requirements for reporting to federal officials, the rule also instructs when banks must report cyber incidents to customer.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson