By Stel Valavanis, Founder and President of onShore Security
In today’s dangerous world of omnipresent cyber risk, it’s difficult to believe that a banking organization could experience a cyber security incident with no requirement to disclose it. But that has been the case, until now.
The FDIC is enforcing new guidelines beginning this spring for how information is shared about cyber incidents. The new regulation called The Final Rule states that banking organizations need to notify their primary federal regulator of any significant computer-security incidents as soon as possible and no later than 36 hours after the banking organization has determined that a cyber incident has occurred.
These notifications will now be required when incidents have the following attributes:
- An incident has materially affected, or is likely to materially affect, the viability of a banking organization’s operations.
- The banking organization cannot deliver its usual banking products and services to customers.
- The incident has the ability to affect the stability of the financial sector.
Additionally, the FDIC notes that when it has been determined that a computer security incident has materially affected, or is likely to affect, an organization’s customer base for four or more hours, customers must also be notified. This rule is set to go into effect on April 1, 2022, allowing banks to comply by May 1, 2022. Clearly this is not an easy task even for organizations with more mature cybersecurity, but it is necessary and here’s why.
Proper detection needs to be available in order to comply with these regulations. The notice of a cyber incident cannot be made if the breach is never detected in the first place. Organizations need to deploy necessary cybersecurity to be vigilant of these threats. Even with cybersecurity present, if a breach is made, accurate information needs to be reported to those who can fix it. This information can be used to better protect areas that have shown vulnerability. Data needs to be properly collected, analyzed, and modeled in order to fully understand what a possible attacker may want. Data allows analysts to do forensics and be better prepared for future incidents that may occur.
The faster that these incidents are reported, the less damage an organization, as well as those affiliated with that organization, will suffer. A swift and informed response indicates to customers and shareholders that they are in good hands. Taking control of a cyber incident as fast as possible is crucial. The FDIC implementing this policy is a great step in both highlighting and preventing cybercrime. The more visible these threats are, the more serious organizations will take them.
Through the implementation of this new rule, increased visibility in the financial space will occur. The knowledge of what data might have been breached and how that affects individuals can lead to more informed decisions by both the consumer and the banks themselves. An emphasis on knowledge sharing can allow organizations to run more effectively. Additionally, this visibility provides information to vendors of these banking organizations. Banks have a variety of vendors that they need to disclose this information to. The faster a bank handles these issues, the faster associated vendors can minimize damage to themselves.
While this new rule appeals directly to customers and vendors, banks themselves may be hesitant about the 36 hour rule. For one, these organizations have reputations to uphold, and a cyber incident occurring could affect how the general public sees them. They have shareholders and large clients that they need to keep happy and a cyber incident could lead to a loss of trust. Additionally, complying to such stringent policies could be a burden on the IT department of these institutions. If an organization’s cybersecurity team is not well structured it could be an overwhelming task. Insurance rates could also dissuade banking organizations from disclosing their incidents. They have incentive to want to keep insurance companies unaware of the possible attacks they have faced.
This regulation is coming a bit late, frankly the fact that without this regulation a banking organization could have had a cyber incident without disclosing is appalling. I truly believe this regulation will have an impact, these organizations will step up their policies and procedures, hold data longer, and in a more usable way, and perform tabletop exercises to make sure their incident reports are done well. These organizations will provide an even playing field for customers, vendors, and shareholders for they have to make these decisions. Let’s hope we see more smart regulation like this in future.