New Banking Cyber Security Rule Won’t Stop Attacks But Could Help Identify Vulnerabilities

New Banking Cyber Security Rule Won’t Stop Attacks But Could Help Identify Vulnerabilities

By Terri Jo Neff |

Federally regulated banks across the United States have about 100 days to get familiar with a new rule that requires the reporting of cyberattacks and other computer security incidents to regulators within 36 hours and “as soon as possible” to customers if the incident might materially affect operations for at least four hours.

The rule announced by the Federal Reserve Board of Governors (Fed), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) last month takes effect April 1. It applies to banking organizations such as national banks, federal savings associations, state member banks, U.S. operations of foreign banking organizations, federal branches and agencies of foreign banks, and U.S. bank holding companies and savings and loan holding companies.

Under the new rule, reportable cyber incidents are those causing “actual harm” with respect to the availability, confidentiality, or integrity of a banking organization’s information system or the information that the system processes, stores or transmits. As a result, notification will not be required if an incident only threatens to cause a harm.

A banking organization’s service providers are also subject to the rule, which will now require notification by a service provider to the banking organization of incidents which has caused “or is reasonably likely to cause” a service interruption of four or more hours.

Federal banking officials concede the new reporting requirement won’t stop cyberattacks on the nation’s banks. It won’t even serve as a speed bump in such criminal activity.

What it will do, according to industry newsletter Banking Exchange, is give regulators and federal law enforcement officials a better chance of tracking attacks, identifying patterns, and ensuring local bank executives are doing their part to protect customer data and assets.

Some types of computer incidents involve new account or wire fraud, account penetration or takeovers, and malicious attacks such as ransomware. The disruption or degradation of a banking organization’s operations which would pose a threat to the country’s financial stability will also trigger the new reporting regulation.

OneSpan, a cybersecurity company specializing in banking, recently released its Global Financial Regulations Report which notes the main challenges for banking organization are reducing or preventing cyberattacks, safeguarding sensitive internal and customer data, and keeping up with changes in consumer privacy laws and industry rules.

The new banking regulation emphasizes material disruptions such as denial-of-service (DOS) attacks or data hacking incursions which limit or shutdown a banking organization’s operations regardless of whether customer information is compromised. However, some cyberattacks may also be subject to supplementary reporting under other federal or state laws.

Instructions will be sent to all regulated banks in early 2022 on when and how to process a notification.