New US Breach Reporting Rules for Banks Take Effect May 1

April 29, 2022 – Published on GovInfoSecurity

New cyber incident reporting rules are set to come into effect in the U.S. on May 1. Banks in the country will be required to notify regulators within the first 36 hours after an organization suffers a qualifying “computer-security incident.” The regulation was first passed in November 2021.

The rule was passed by a collective of U.S. regulators, including the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency.

While this is a new requirement from the FDIC and other regulators, most U.S. banks have already been conditioned to a 72-hour incident reporting window through the New York Department of Financial Services cybersecurity regulation, says Gary Brickhouse, CISO at Guidepoint Security.

“Although the reporting time of 36 hours is a smaller window than most have grown accustomed to, the FDIC has referenced the simplicity of the notification process as it has ‘set forth no specific content or format’ as well as starting the 36-hour notification clock after you have determined you have an actual, rather than a potential, security incident,” Brickhouse says.

Brickhouse, in his blog post, says that the rule seems simple, but “the more challenging piece [is] tied to how the FDIC define[s] a notification incident.”

Read More HERE. Or to read the full blog by Gary Brickhouse, go HERE.