Regulation

New 36-hour reporting rule for cyber incidents puts more pressure on banks

From left: Chairman of National Credit Union Administration (NCUA) Todd Harper, Chairman of Federal Deposit Insurance Corporation (FDIC) Jelena McWilliams and Acting Comptroller of the Currency Michael Hsu testify during a hearing before the Senate Banking, Housing and Urban Affairs Committee on Aug. 3, 2021, in Washington. (Photo by Alex Wong/Getty Images)

The U.S. banking industry has long been concerned with the seemingly unstoppable growing spike in online intrusions. Now, it seems, banks will also have to contend with getting information about those security compromises out to their regulators much faster than before. 

As SC Media previously reported, all the major U.S. banking regulators earlier this month issued a new joint rule, which effectively demands that all banks report any “computer security incident” to their main federal regulator (whether it be the FDIC, the Federal Reserve or the OCC) within just 36 hours. The new rule will also extend to banks’ third-party vendors, who are themselves required to communicate word of any known cybersecurity incident to at least one contact at each bank customer which might be affected. The rule becomes effective on April 1, 2022, and full compliance is required by May 1, 2022. 

Gary McAlum, senior analyst with cybersecurity researcher TAG Cyber, and formerly the chief security officer at USAA, believes the overall intent of the rule is positive. “However, the challenging part of this rule is the 36-hour time limit,” he pointed out. “Banks of all sizes deal with millions of security events every day. Some of these events become 'incidents,' which may be potentially significant, but can be appropriately managed through incident response. Some incidents become breaches.”  

At first blush, the rule seems not only sensible, but necessary as the pace and pervasiveness of financial industry cyberattacks mounts, especially in the past two years. The idea being not just to root out the incursion before it gets too far along, but gathering as much information as possible on the online intruders and their practices early on. 

“The FDIC is trying to do what all U.S. federal cyber regulators are trying to do, which is to get better data,” said Roger Grimes, data-driven defense evangelist for KnowBe4, a corporate cyber education provider. “Previous lax reporting requirements gave financial organizations a bit too much wiggle room on what to report and when.”

As a result, the incumbent data inaccuracies failed to present a true picture of the security environment or give defenders a better chance to fix it, Grimes added.  

Previous bank reporting rules

This isn’t the first time a federal cyber reporting regulation has been put to banks, but it does represent the first time in more than 16 years it has been updated.

The previous federal rule, issued in March 2005, only required banks to “develop and implement a response program to address unauthorized access to ... customer information [resulting] in substantial harm or inconvenience to a customer.” (In other words, banks only had to report compromises where particular customer data was stolen.) Also, in 2016, the Financial Crimes Enforcement Network (FinCEN) began requiring banks to file suspicious activity reports for cybercrimes to them; although these crimes typically encompassed money laundering or potential terrorist activity, not the wider context of cybersecurity incidents. 

"This mandate is another example of the federal government flexing its influence to bring more transparency into how major and critical industries like banking respond to cybersecurity incidents,” said Ian McShane, field CTO at Arctic Wolf. “As regulated as this industry is already, it’s common sense to enforce rapid reporting on material cybersecurity incidents because of the significant impact they can have on markets and consumers.”

Indeed, for the wider cybersecurity industry, banking customers, and arguably banks themselves, this new regulation could prove to have long-term benefit. 

In the short term, however, a lot of details will need to be defined and processes sorted out and possibly re-tooled all together. For example, under the new rule, a computer incident could be applied to a broad-based ransomware or DDoS attack and also a phishing scheme that might affect a limited portion of the bank’s network. Should the regulatory reporting on both incidents be given the same weight? 

“[The new rule] will be problematic for banks to meet this rule unless clear threshold criteria, such as materiality, are clearly spelled out,” McAlum pointed out. “Also, and more importantly, when does the clock start?” In addition, McAlum said banks might rightfully question what constitutes “good faith reporting” when many incidents or breaches require a “significant amount of forensics investigation ... to answer key questions related to who was impacted and how, when, and why did it occur.”

Also, when it comes to the already prickly issue of third-party providers (of which even community banks may have dozens, even hundreds), the new rule means that a bank vendor needs to report any computer security incident for which there is a "good faith belief [the incident could] disrupt, degrade or impair” banking services. But, so far, the rule fails to outline exactly how a provider should notify their bank customer — email or phone, in-person or in writing? 

Not to mention, bankers are arguably feeling more than a bit hamstrung in their innovative efforts by the extensive regulations with which they already need to comply. Nearly one-half (48%) of top bank executives surveyed for the OneSpan Global Financial Regulations report claimed that the demands of meeting their industry regulations have substantially slowed their “digital transformation progress.” In particular, banker-respondents cited regulations around cybersecurity reduction (53%) and protecting sensitive data (47%) as their biggest regulatory hurdles.  

“I am not sure if they will have trouble reporting, but most will not like the requirement for a bunch of reasons beyond the natural aversion to reporting trouble to a regulator,” Grimes said. “The biggest problem is how to determine what the breach is accurately in a timely manner. The only thing senior management fears more than reporting issues to regulators is reporting inaccurate information.”

Will senior management get in more trouble with regulators for missing the 36-hour reporting deadline, or for putting out incorrect information, Grimes mused. “Clearly, senior management, their legal team and IT will likely be wrestling with that issue during any cybersecurity incident.”

Catherine Lyle, head of claims for cyber-liability insurer Coalition, believes that “further guidance” will be coming down by early next year — in effort to provide clarification. In the meantime, banks and service providers should “review incident response plans and prepare for this new rule,” Lyle advised. “Having a well-defined plan should include how to stop and remediate an event notification. Otherwise, banking organizations will have a very tough time meeting this strict timeline.”

McAlum agreed, adding: “If the reporting requirement is not properly tuned, there could be a significant volume of extraneous information injected into the system which could cause confusion, and a tendency to 'over engineer’ a solution, creating unnecessary overhead and staffing requirements.”

prestitial ad