US Banks Will Be Required to Report Cyberattacks Within 36 Hours

  /     /     /  
Publicated : 23/11/2024   Category : security


US Banks Will Be Required to Report Cyberattacks Within 36 Hours


There is currently no specific time frame during which banks must report to federal regulators that a security incident had occurred. A new notification rules changes that to 36 hours.



Under a new cybersecurity incident notification rule, banks in the United States will be required to notify federal regulators of any cybersecurity incidents within 36 hours of discovering it. The rule takes effect April 1, 2022, although enforcement will not begin until May 1.
The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) announced the final version of the
Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
on Nov. 18.
FDIC-supervised financial organizations will need to notify the FDIC-designated point of contact via email, telephone, or other similar methods as soon as possible and no later than 36 hours after the organization has determined that a security incident that rises to the level of a notification incident has occurred. Bank service providers will also be required to report incidents to banks in case of incidents where banking services are disrupted for more than four hours.
Under this rule, security incidents refer to any event that result in actual harm to the confidentiality, integrity or availability of information systems.
Notification incidents, on the other hand, are events that cause serious disruption to operations, prevent the bank from delivering its products and services, or pose a risk to the financial sector’s stability. Examples include computer failures as well as distributed denial-of-service and ransomware attacks.
Existing guidance instructs banks to notify their primary regulator as soon as possible about incidents of unauthorized access to sensitive customer data. This new rule formalizes what that as soon as possible means. It also expands the guidance to cover incidents in which no customer data is exposed.
The rule requires the financial entities to just inform regulators that something had happened during this timeframe. A full assessment or analysis are not required as part of informing regulators, and can follow after 36 hours had elapsed. That is an important distinction as many organizations may not have a complete picture of what had happened that quickly.
Banks are still required to file suspicious activity reports (SAR) up to 60 days after discovery of an incident.
This rule was initially proposed by the FDIC and OCC back in December 2020. The rule provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur, FDIC Chairman Jelena McWilliams said in
a statement at the time
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
US Banks Will Be Required to Report Cyberattacks Within 36 Hours