If they aren't already, banks should begin preparing to change how they disclose certain types of cyber incidents in 2022.
Federal banking regulators last month published a final rule that will require banking organizations and bank service providers to notify their primary federal regulator within 36 hours if they've experienced a serious computer security incident.
The regulators, the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) published the rule on November 23. While it's slated to go into effect on April 1, 2022, banks won't be expected to comply until May 1, 2022.
Under the new notification rule, in order to qualify, a computer security incident would have to result in harm to either information systems or data on those systems. It would also, in the eyes of the agencies, have to rise to the level of a “notification incident.”
According to the rule – as published in the Federal Register - a "notification incident" is any incident that could "materially disrupt, degrade, or impair the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector." It defines a computer security incident as any occurrence that could harm systems or information, or violate security policies or procedures.
Bank service providers, lenders and affiliates of lenders have an obligation under the rule too. If it's determined there's been a computer security incident, providers will be required to notify each banking organization that's affected if it's believed the incident will cause a disruption for four or more hours.
It's important to note that the rule doesn't require that the bank service provider gauge how severe an incident is and whether the banking organization should have to notify their customers. That responsibility will ultimately lie with the organization.
"If, after receiving notice from a bank service provider, the banking organization determines that a notification incident has occurred, the banking organization is required to notify its primary Federal regulator in accordance with this final rule," the rule reads.
As is usually the case, reading the breakdown of the rule on the Federal Register will give you a good idea of how it came to be. Some commenters favored immediate notifications, others were concerned it could lead to over (and inaccurate) notifications. Some had an issue differentiating between security incidents and service disruptions. The final version of the rule
While a slightly different version of the rule was actually proposed in January 2021, it’s hard not to draw a line between the need for increased data security notification and the significant uptick in ransomware attacks that organizations have experienced so far this year. While attacks against JBS and Colonial Pipeline grabbed headlines, a report from September indicated the banking industry was heavily targeted and saw a 1,318 percent increase in ransomware, year over year in the first half of 2021.
The Office of the Comptroller of the Currency, one of the regulators behind the rule, drove the point home further earlier this month. In its semiannual risk report, the OCC said it has observed an increase in ransomware attacks in financial services and stressed that banks have "robust" systems in place to identify threats and vulnerabilities in their technology.
"Operational risk is elevated as banks respond to an evolving and increasingly complex operating environment and cyber risks," the report reads.
