While Congress continues to negotiate federal legislation requiring cyber incident notification by critical infrastructure providers to the government, financial services regulators have taken action. On Thursday, 11/18/21, the Federal Reserve, OCC and FDIC approved a final rule requiring banking institutions to report any significant cyber incident to their primary regulator within 36 hours of determining an event has occurred. Significant events, which are referred to as “notification events”, are characterized as an event which:
Disrupts or degrades, or is reasonably likely to disrupt or degrade, the ability of the bank to carry out operations,
Results in customers being unable to access their accounts, or
Threatens the stability of the US financial sector.
This rule updates previous guidance by defining a specific notification time frame, and broadening the definition of the types of events requiring notification. The intent of this new rule is to improve information sharing in an era where the frequency and severity of cyber attacks against financial institutions has increased significantly. Having greater visibility into significant cyber incidents is intended to provide regulators with an early warning of threats against banking institutions and the broad US financial systems. It is also intended to enable regulators to facilitate requests from the banks for assistance from federal offices.
Another significant change in this rule is a new requirement for bank service providers. Under the rule, service providers must notify their banking institution clients of an incident that will materially disrupt or degrade service for four or more hours. Unlike the regulatory notification, the notification requirement for service providers does not include a specific timeframe. It is simply defined as “as soon as possible” after it has determined a significant event has occurred.
Impact
While most banks and bank service providers likely already have notification plans and mechanisms in place, this new rule should prompt consideration of several actions:
Review existing incident response plans, and update if necessary, the scope of incidents requiring notification to regulators.
Update incident response plans with the required notification timeframes.
Use this review as an opportunity to confirm the list of contacts for notification at the regulators.
Vendor management and third party risk management teams at banking institutions should be contacting their banking service providers to:
Ensure the service providers are aware of the new rule requirements
Confirm the list of contacts the service providers should notify in the event of an incident.
Banking service providers should also be taking action. Until this point, many service providers notification practices were guided by their SLAs with their clients. Service providers need to review and update their response plans to ensure consistency with the scope and requirements in the new rule. Given the widespread use of service providers across the financial services industry, these partners will have a significant role in enabling timely response and notification by their clients.
In this landscape of cyber threats that have sky rocketed in both frequency and impact, information sharing is a must to help combat these bad actors. Shared intelligence about on-going threats, along with data about attack tactics, techniques and procedures, makes everyone stronger. FS-ISAC is a great example.
Comments