Banks had to start complying with a new set of mandatory reporting rules

Published in the May 3, 2022 Morning Cybersecurity Newsletter

Banks got their first taste over the weekend of what it’s like to maneuver through multiple cyber reporting requirements as a notification rule from multiple U.S. financial regulators went into effect on May 1st.

But chances are, adapting to the new rule from the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency will be much easier for banks than complying with forthcoming programs at CISA and the Securities and Exchange Commission.

Under the Fed, FDIC and OCCs new rule, banking organizations must notify the appropriate regulator of a ransomware attack, major computer system failure or other significant cybersecurity incidents within 36 hours of discovery. While that 36-hour window is shorter than banks are used to, most major banking organizations are used to flagging major cyber incidents like these to their regulator, said Gary Brickhouse, chief security officer of critical infrastructure security firm GuidePoint Security. “While this is technically a new requirement, most U.S. banks likely already have incident reporting requirements through other regulations,” Brickhouse said, including state financial regulators.

Brickhouse said the biggest headache will be in adjusting to the rule’s definition of a major cyber incident, which is probably broader than banks are used to. Typically issues like a failed system upgrade that causes user outages wouldn’t be something banks would need to report, he said, but under the new rule, outages are a part of that definition.