US financial regulators have finalized a new rule requiring banking organizations in the country to report all “significant” cybersecurity incidents within 36 hours of their discovery.
It will prompt financial executives to warn the entire financial system of the latest ransomware or DDoS attack, potentially helping preempt similar problems.
The new regulation is further evidence that fintech is taking over in the US banking system — and that the government is hammering out the fine details to keep an eye on it as well.
How the Rule Works
Like all US regulation, this one comes with a deeply specific name no one can remember — “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” — and is issued by a team of regulatory offices with similarly long names, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation.
Here's what to know: Before this law, banks had no set window in which to report cyberattacks. Some Capitol Hill proposals suggested a timeline of about 72 hours, while the TSA rules would put it at 12 hours, making the 36-hour mark a compromise between the two.
The initial proposal was in December 2020, so the finalization process took nearly a year.
Some banking industry groups have influenced this final bill as well, cutting a clause that would have meant banks needed to report anything that they might “believe in good faith” to be a cybersecurity incident. Now, they just have to report the fully confirmed ones.
“Cyber-incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident,” said Heather Hogsett, senior vice president for technology and risk strategy at the Bank Policy Institute, which supports the new rule.
The law doesn't actually go into effect immediately: It'll be in place no sooner than April 2022, with full compliance required by May 1, 2022.
Once that happens, the impact should be pretty large, with some financial associations estimating the industry sees tens of thousands of cyberattacks on a daily basis.
More Visibility Is Always Good
More data on what ransomware or DDoS attacks look like is always an improvement over less information, and getting the news within a day and a half can definitely make a big difference. Other industries have similar oversight already, like the portal of health industry data breaches operated by the U.S. Department of Health and Human Services.
Ransomware attacks in particular remain a top threat for the banking industry, as they accounted for 81% of financial cyberattacks in 2020 alone. Small businesses in any industry can do their best to avoid reporting any attacks by preventing them in the first place: A good VPN can protect company data by routing it through a secure network to stay anonymous. We recommend the top business VPNs over here.
While no security measures are completely safe, you shouldn't be waiting on your banking provider to report a cyberattack before taking precautions yourself. Even if those providers will be reporting a lot more quickly once this new rule is in place.