Banks in the US will now have just 36 hours to report a cybersecurity incident to a federal regulator amongst the heightened potential for Russian-led cyber attacks.
Although receiving final approval back in November 2021, the bill, imposed by the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC), came into full effect officially on 1 May.
As part of the new ruling, banks will now have to speed up their response to cybersecurity attacks, adhering to what is now a much shorter timeline for incidents. Regulators must now be notified within the space of 36 hours if, as the ruling states, ‘a computer-security incident that rises to the level of a notification incident has occurred.’
Furthermore, the announcement outlines a computer-security incident as ‘an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.’
Yet the ruling extends beyond the surface of general US banking, and will also apply to a bank’s technology vendor. In this way, vendors will now be held accountable for notifying banking customers of any incident that would disrupt services for four hours or more.
Banks are also obliged to file suspicious activity reports (SAR) up to 60 days after becoming aware of an incident.
Historically, the procedure for reporting such incidents, where banks were to notify regulators ‘as soon as possible’, had previously been in place since 2007. In the overhaul however, cybersecurity breaches where no sensitive customer data is exposed will now also have to be reported.
The Biden administration has urged national banks to comply with the new legislation in light of rising international conflicts; namely the relevance of the US in Russia’s invasion of Ukraine which has been ongoing since late February 2022.
Looking at the data, specifically this 2022 report by the cloud computing company VMWare, shows how financial institutions are increasingly coming under attack. According to the report, 63 per cent have reported an increase in attacks over the last year, which signifies a 17 per cent increase in the company’s previous reports.
Although the US financial system has shifted considerably towards more digital means, especially in light of the Covid-19 global pandemic which ultimately gave attackers more access points, US banks remain no stranger to attacks when international tensions are high.
Back in 2012, US banking holding companies Capital One and Truist Financial both experienced significant breaches in their systems at the hands of Iranian attackers, which came as a direct response to imposed US sanctions on the country’s nuclear weapons programme.
With the US now voicing its unshakable support for Ukraine as the country fights off Putin’s now-ailing army, the Biden administration has a right to worry that the events of 2012 will be repeated; with the ramifications of which expected to be much larger and far more devastating.
“The new cyber incident reporting requirements for banks are needed to advance information-sharing and improve industry-wide defensive capabilities,” explained Marcus Fowler, SVP of strategic engagements and threats for the British cyber defence company Darktrace as he spoke to The Fintech Times.
“Financial services and institutions are the backbone of the US economy and vital to its stability and, thus, national security. In fact, the financial services industry is one of the 16 critical infrastructure sectors designated by the Cybersecurity and Infrastructure Security Agency. It is also one of the most targeted sectors by global cyber adversaries.”
Prior to joining Darktrace in 2019, Fowler spent 15 years at the Central Intelligence Agency (CIA) developing global cyber operations and technical strategies. He has led cyber efforts with various US intelligence community elements and global partners.
Fowler goes on to explain how time is of the essence when fighting financial cybercrime: “This legislation is crucial because timely notification plays a significant role in restricting an attack’s scale, especially for institutions dependent on threat intelligence for defensive capability.”
The new legislation will undoubtedly place a larger onus on security teams, and whilst it is crucial that incidents are reported and addressed properly, the requirement to respond at speed may inadvertently hinder the efforts and resources available to manage the situation internally.
“While there are many benefits to this requirement, reporting these incidents in a timely fashion will increase the burden on security teams and potentially distract teams from the ongoing incident response,” Fowler continues.
However, the ruling remains concise around exactly which type of incident would require a response, and how the response should, or could, be reported to regulators. This includes either a phone call or email to an agency official, although the efficiency of this process largely depends on banks having the relevant information to hand, both in what they need to report and who exactly they should report it to.
In terms of specifics, the ruling identifies large-scale distributed denial of service attacks, ransomware attacks and failed system upgrades as areas that should be reported, however, there remains an element of vagueness as to what would constitute a report to regulators. The banks’ ability to spot the presence of breaches in the first place also comes into account.
Having considered the above, Fowler concludes our discussion with what he believes to be a suitable and practical approach: “Augmenting analysts’ capabilities with tools that can connect the dots among disparate security incidents and autogenerate the necessary report will play an essential role in helping banks report incidents within this tight 36-hour deadline.”