Banking Regulators Issue New Security Breach Notification Rules
Cybersecurity Ventures estimates that cybercrime costs totaled $6 trillion globally in 2021, and IBM X-Force research finds that 18.8% of cyberattacks target banks and other financial institutions. Because of the risk to U.S. national security, lawmakers are imposing greater cybersecurity requirements on the financial services industry.
On November 23, 2021, the Federal Deposit Insurance Corp. (FDIC), Office of the Comptroller of the Currency (OCC), and Board of Governors of the Federal Reserve System (Board) published final rules for Computer Security Incident Notification Requirements. The new rules require that banks and other financial institutions notify regulators of incidents that materially affect their operations “as soon as possible” and no later than 36 hours after the incident is identified.
Effective April 1, 2022, the final rule also requires a bank service provider to notify each affected financial institution as soon as possible when an incident causes a service disruption or degradation that is likely to last four or more hours. This requirement is designed to promote early awareness of emerging threats to banking organizations and the broader financial system.
The new reporting requirements are in addition to existing rules under the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and other state and federal regulations. Full compliance with the new rules was required by May 1, 2022.
The Cybercrime Epidemic in Banking
Cyberattacks continue to escalate, and the financial services sector is a primary target. A report by VMware found that cyberattacks on the financial sector increased more than 200% from February 2020 to April 2020, with ransomware attacks alone up 9x..
Successful attacks can have a devastating effect on financial institutions. According to a 2021 report from the Ponemon Institute and IBM Security, each data breach costs the financial sector $5.72 million on average.
Such attacks also impact the economies of countries and regions, and even the global financial system. In February 2016, for example, hackers attempted to steal $1 billion through the Society for Worldwide Interbank Financial Telecommunications (SWIFT), a secure messaging system that financial institutions use to facilitate money and securities transfers and electronic payments. The cyberattack targeted the central bank of Bangladesh and exploited vulnerabilities in SWIFT. The hackers were able to get away with $100 million before the transactions were blocked.
Financial Sector Risks
Because of the highly interconnected nature of today’s electronic financial systems, rapid reporting of security incidents is critical to prevent widespread damage. A cyberattack could move quickly through multiple organizations and computer systems in the global supply chain.
Russia’s attack on Ukraine has only heightened these concerns. Before the military action, Russian hackers executed cyberattacks on Ukraine government agencies and financial institutions. U.S. security experts have warned that these attacks could spread to organizations in this country. Russia could also direct an attack on U.S. infrastructure. On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act, creating a 72-hour reporting requirement for owners and operators of critical infrastructure, including the financial services sector.
The Cybersecurity and Infrastructure Security Agency defines the financial services sector as not only banks and other depository institutions, but also credit and financing companies, insurance companies, and providers of investment products. It also includes organizations such as SWIFT that support these functions.
Defining Regulatory Scope
The new banking regulations define “banking organizations” as entities within the scope of authority of the various regulatory agencies involved. Each banking organization would report a security incident to its primary federal regulator. For example, national banks would report to the OCC and U.S. bank holding companies to the Board.
Bank service providers that are subject to the Bank Service Company Act (BSCA) must comply with the reporting requirements. However, the regulations specifically exclude financial market utilities (FMUs), which are regulated by the Securities and Exchange Commission (SEC) or Commodity Futures Trading Commission (CFTC) under the Dodd-Frank Act.
The regulations broadly define “computer-security incident” as any event that “results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” A “notification incident” is a computer-security incident that materially disrupts or degrades a covered entity’s operations or ability to deliver services to its customers, or causes material loss of revenue, profit, or value. Operations include any functions that could impact U.S. financial stability.
Meeting the New 36-Hour Requirement
The 36-hour requirement is quite short compared to existing regulations. For example, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to report unauthorized access to sensitive information “as soon as possible.” The State of Illinois requires the reporting of data breaches affecting more than 250 residents within 72 hours. It should be noted that these rules focus on the security and privacy of information and not on operational disruption.
To comply with the new regulations, banking organizations and bank service providers should ensure that they have policies and procedures in place that enable rapid detection and reporting of security incidents. These organizations should already have developed incident response plans, which may need to be updated and employees trained to meet the new timing requirements.
Learn More About Current Issues Affecting the Legal World
The financial services sector should stay up-to-date with rapidly evolving federal, state, and even international requirements for cybersecurity. Given the growing threat of attacks, the financial sector must be prepared to protect its operations, data, and infrastructure. Cybersecurity legal experts are in great demand in both the public and private sectors.
Purdue Global Law School offers two online law degrees:
An online Executive Juris Doctor for those who wish to gain the knowledge and skills of a lawyer without becoming one. The program includes a law and technology track that provides advanced legal training on cybersecurity issues.
An online Juris Doctor for those who wish to become an attorney licensed in California.
Single courses in technology and the law are also available.
Ready to learn more? Request more information today.