Banks Face 36-Hour Cyberattack Reporting Deadline

Cyber threats in the banking industry are rising in both frequency and severity. Cyberattacks in the financial sector increased by 238% just within the first few months of 2020, causing cybersecurity to be a front focus of federal banking agencies. The Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) have decided to take regulatory action as to how financial institutions and technology vendors report cyber events.

The rules proposed by the FDIC and the OCC would require United States banks to notify their regulators of major cybersecurity incidents within 36 hours. The new federal rules cover deadlines that currently do not exist for cybersecurity in the financial sector as well as sophisticated cybercrime attacks and failed system upgrades. The proposal cites specific cyber events that can trigger the requirement of notification to regulators. Notification to the institutions primary federal regulator can be as simple as a phone call or email. New obligations to bank’s technology vendors are also included in the proposed federal rules, requiring technology vendors to notify banks once the vendor determines that a cybersecurity incident meets thresholds cited in the proposal.

The FDIC reported that the new proposed federal rules are to fill a gap in bank’s existing reporting requirements and to contain damage caused in cyberattacks through prompt notification. The FDIC and the OCC issued the proposal on Tuesday December 15, 2020 and the Federal Reserve Board is expected to do so soon. The notice is open for comment for 90 days from its publication in the Federal Register.