Security news that informs and inspires

Banks Face 36-Hour Security Incident Reporting Deadline


A new Federal Deposit Insurance Corporation (FDIC) rule requires banks to notify federal regulators of security incidents within 36 hours.

Under a new final rule approved by the Federal Deposit Insurance Corporation (FDIC), banks will soon be required to notify federal regulators of security incidents within 36 hours.

The aim behind the rule is to better position federal regulators to understand and respond to cybersecurity threats across the banking sector. It was passed on Thursday by the FDIC - an independent agency created by Congress to maintain stability and public confidence in the nation’s financial system - along with the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System. Banking organizations have until May 1, 2022 to comply with the new rule.

“The final rule seeks to allow the banking supervisors to be informed of the most significant cyberattacks in a timely fashion while avoiding unnecessarily difficult or time-consuming reporting obligations,” said FDIC Chairman Jelena McWilliams in a Thursday statement. “The final rule therefore does not require an assessment of the incident to fulfill the notification requirement.”

The current federal regulations that apply to banks’ cybersecurity protections - like the Bank Secrecy Act - either have longer incident reporting deadlines or do not clearly define the full spectrum of potential incidents that could impact organizations, such as the inclusion of distributed denial-of-service (DDoS) attacks.

For instance, the Interagency Guidelines Establishing Information Security, a set of guidelines for banking organizations published in 2001, mandates that banks notify primary federal regulators of security incidents “as soon as possible.” The guidelines here define these incidents as “involving unauthorized access to or use of sensitive customer information.” The Securities and Exchange Commission (SEC) in 2018 published guidance on public company cybersecurity disclosures, but these were interpretive guidelines and did not impose strict deadlines for companies. Certain banking organizations must also file Suspicious Activity Reports (SARs) if they become aware of suspicious activity related to money laundering, however, the deadline for filing these reports is 30 days after the date of initial detection.

The FDIC’s rule defines a security incident as one that “materially disrupted or degraded – or is reasonably likely to materially disrupt or degrade – the viability of a bank’s operations, its ability to deliver banking products and services, or the stability of the U.S. financial sector.” This could apply to security incidents such as a DDoS attack or a ransomware attack that results in the takedown of operations.

The final rule also requires that bank service providers notify each impacted banking organization customer as soon as possible, when the bank service provider determines that it has experienced a security incident that has caused a “material service disruption or degradation for four or more hours.”

Organizations in the banking and financial sector maintain some of the most sensitive types of customer data, from social security numbers to credit card information. Cybercriminals over the years have focused on this sector, with cyberattacks hitting organizations like JPMorgan Chase and MasterCard. In 2020, the financial services sector was the top attacked industry, with cybercriminals utilizing malware like Ramnit, Trickbot and Qakbot to target financial organizations. Federal entities have recognized this, with the Federal Trade Commission (FTC) in October announcing sweeping updates to a set of existing requirements, called the Safeguards Rule, in order to ensure that financial institutions secure consumer data.

Heather Hogsett, senior vice president, Technology and Risk Strategy at the Bank Policy Institute, said in a statement the final rule establishes "a clear timeline and flexible process for notifying regulators and affected parties when a significant incident occurs."

"Cyber-incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident," said Hogsett.