As cybersecurity becomes more important in finance, banks and security firms in Birmingham — like those elsewhere — have to react to new regulation.
Starting this spring, all U.S. banking organizations will be required to report any significant cybersecurity incidents to federal regulators within 36 hours of their occurrence. Affected customers must also be notified in some cases.
That’s because of the new Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers rule, created by the Office of the Comptroller of the Currency, Federal Reserve and Federal Deposit Insurance Corp. The rule takes effect April 1.
The rule is designed to keep regulators abreast of emerging cyber threats. To comply, banks will need to put proper systems, technology and personnel in place.
In a previous interview with the BBJ, John Norris, managing director of investments and thought leadership with Oakworth Capital Bank, said the increasing prevalence of mobile banking and other technology in the financial space means banks will have to continue adapting to stay ahead of hackers and protect customers’ data, such as their social security numbers or account information.
“All that information’s out there, stored on a server, out there in the cloud, and people from around the world want to get that information, so frankly they can steal your money, if not your identity,” he said. “So that’s the reason why banks are going to be spending far more money on technology for security purposes. Because this isn’t going away.”
Birmingham-based Regions Bank could not comment at length on the cybersecurity strategies it employs, but a spokesperson told the BBJ that “enhancing cybersecurity controls to stay ahead of emerging threats is a constant focus for Regions Bank.”
Brad Neighbors, a partner with Birmingham-based Balch & Bingham LLP who is focused on banking and financial services, said banks previously were required to report only unauthorized access to sensitive customer information. But such institutions will soon need to report incidents that disrupt or degrade their operations, prevent customers from accessing their accounts or that affect the financial sector’s stability.
Neighbors said it may be difficult at first for banks to determine which incidents require reporting. Banks should review policies and procedures to make sure plans are in place to comply with the new rule, he said, and perhaps designate an individual such as a chief information security officer to notify regulators.
Brandon Jarrett, president of ThreatAdvice, said many banks are outsourcing to meet these needs.
“The trend we are seeing is more of an outsourcing model to managed security services providers with virtual CISO offerings,” Jarrett said.
Jarrett has seen more financial institutions invest in security incident event management and managed security operations center programs for cybersecurity purposes. He said...READ FULL ARTICLE HERE