According to the newcyber securityUnder the Incident Notification Rule, U.S. banks will be required to notify federal regulators within 36 hours of discovering any cybersecurity incident. The rule takes effect on April 1, 2022, but enforcement will not begin until May 1.
The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) announced the final version of computer security incident notification requirements for banking organizations and providers of banking services on November 18.
Financial organizations regulated by the FDIC will be required to notify a designated contact person at the FDIC "as soon as possible and no later than 36 hours" by email, phone, or other similar method, after the organization determines that a security incident "rises to the level of a notification event." Banking service providers will also be required to report the incident to the bank if banking services are disrupted for more than four hours.
Under the rule, a "security incident" is any event that causes actual harm to the confidentiality, integrity, or availability of an information system.
A “notification event”, on the other hand, is an event that causes significant disruption to operations, prevents banks from offering their products and services, or poses a risk to the stability of the financial sector. Examples include computer failures and distributed denial-of-service and ransomware attacks.
Existing guidance directs banks to notify their primary regulator of unauthorized access to sensitive customer data "as soon as possible". This new rule formalizes what “as soon as possible” means. It also expanded guidance to cover incidents that did not expose customer data.
The rule requires financial entities to simply notify regulators that something happened during that period. A full assessment or analysis is not required as part of notifying the regulator and can be carried out after 36 hours. This is an important distinction because many organizations may not have a complete picture of what's going on that quickly.
Banks are still required to file suspicious activity reports (SARs) within 60 days of discovering an incident.
The rule was originally proposed by the FDIC and OCC in December 2020.
Original article by CNCSO, if reproduced, please credit: https://cncso.com/en/bank-of-america-to-report-cyber-attacks-html