If you’re in the financial sector, no doubt you’ve already heard, and hopefully, are prepared or preparing for, the new federal banking rule regarding cyber breach notifications. This new rule, which took effect April 1, 2022, with full compliance required by May 1, 2022, requires banking organizations and bank service providers to notify banking regulators within 36 hours after a notification event, which is the tightest timeframe in U.S. history.Who created the rule and why?
In November 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) issued a joint final rule to establish computer-security incident notification requirements for banking organizations and bank service providers, which will provide these agencies with early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events.
What is a “computer-security incident?”
An occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
What is a “notification event”?
A significant computer-security incident that:
- Disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations
- Results in customers being unable to access their deposit and other accounts or impact the financial stability of the United States
Here are a few examples:
- Large-scale distributed denial-of-service (DDoS) attacks that disrupt customer account access for an extended period (e.g., more than four hours)
- A failed system upgrade or change that results in widespread user outages for customers and banking organization employees
- A ransom malware attack that encrypts a core banking system or backup data
So, what should banks and banking service providers do right now?
First, look for your appropriate regulators’ (FDIC, the Federal Reserve Board, or the OCC) specific guidance on logistics to report incidents. Evaluate your current security posture to ensure you are adequately protecting your data and systems. Then, review and update your incident response (IR) plan to ensure that notification incidents are properly addressed. Finally, review and update agreements with third-party service providers to ensure they have a plan to comply with the new rule’s requirements.
We asked Gary Schober, Partner and Practice Area Leader for Cybersecurity & Privacy, and Blockchain & Cryptocurrency at Hodgson Russ to discuss the impact this new rule will have on organizations in the financial sector. Here’s what Gary had to say, “Compliance with this new rule will be immensely challenging for even the most disciplined financial institutions. Timely and accurate reporting will hinge on having the right team on speed dial. Lawmakers frequently miscalculate how long it takes a victim to respond to a cybersecurity incident, and this is another example.”
Brandy Griffin, Avalon Cyber’s Director of Cybersecurity Operations, warns that a failure to do even the basics can be a costly mistake. Most of the cyber incidents her team handles occur due to poor password management, no multifactor authentication (MFA), unpatched systems, and a lack of detection and response capabilities. Her mantra: Defense in depth is key!
Cybersecurity resources for the financial industry
- FS-ISAC – If you’re in the financial industry and not already a member of The Financial Services Information Sharing and Analysis Center (FS-ISAC), you should be! This organization is focused solely on the financial sector and leverages industry-specific threat intelligence and resources to educate its members on anticipating, mitigating, and responding to cyber threats.
- CISA – The Cybersecurity & Infrastructure Security Agency provides financial sector guidance and resources to thwart cyberattacks. The cyber essentials page is a great place to start!
How an MSSP can help
If you need assistance while preparing for compliance with the new federal banking rule, a managed security service provider (MSSP) can assist you through a variety of advisory services, including:
Policy & Documentation Development The establishment of clear, documented policies are essential and make up the basis for IT/IS security programs, laws, regulations, and standards. An MSSP can help you create or mature the policies, procedures, and audit evidence needed to confirm your controls are designed and operating effectively.
Readiness Assessments They can also help you prepare by defining the scope, developing project plans, identifying necessary controls and processes, and performing a readiness assessment to identify effective policies and controls, as well as gaps. This will allow your organization to see its baseline compliance within a given framework and associated recommendations.
IT Risk Assessments You need to understand the gaps within your information security program. Otherwise, your organization is vulnerable to threats which ultimately put your data and your reputation at risk. Ask for an evaluation of the internal and external controls that your organization employs to help you identify a prioritized list of risks. This will not only assist you in meeting the new federal banking rule but will help reduce the chance of becoming victim of a future cyber incident.
Security Consulting Services Your MSSP can work as an extension of your team by providing knowledgeable experts, proven processes, and efficiency-gaining tools to help take your security posture to the next level. They can also assist with cyber incident response plan development and tabletop exercises, gap remediation services, security awareness training, and other services to strengthen your cybersecurity program.
Cybersecurity Counsel Experienced counsel can help you design an incident response plan that properly evaluates the triggers for notification, including whether the incident results in actual harm to the confidentiality, integrity, or availability of an information system or the data that the system processes, stores, or transmits. Also, if a notification event occurs, counsel can lead the collaboration between legal and forensics professionals to maximize the extent to which the attorney-client privilege and other similar privileges are applicable.