Banks now required to report cyber incidents within 36 hours
None
<div class="body gsd-paywall article-body"> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Federal bank regulatory agencies approved a rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than <strong>36 hours</strong> after the banking organization determines that a cyber incident has occurred. Notification is required for incidents that have materially affected — or are reasonably likely to materially affect — the viability of a banking organization’s operations, its ability to deliver banking products and services, or the financial sector’s stability.</span></p> <div id="div-gpt-ad-article-body-sky-mobile" class="advertisement"></div> <p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">In addition, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><br></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">Compliance with the final rule is required </span><strong style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">by May 1, 2022</span></strong><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;">. James Hadley, Founder and CEO of Immersive Labs, says, “This new regulation is a reflection of the growing breadth of impact cyberattacks have on financial services. Technology is no longer just a part of the industry but the operating system on which the entire sector runs. Attacks now mean more than short-term reputational and financial loss for a single institution, having the potential to spread through interconnected infrastructure with a significant impact on people and business. Such regulation will encourage the sharing of critical knowledge at a pace that will allow senior stakeholders inside interlinked organizations to respond more effectively. This kind of swift and collaborative response, coupled with regular exercising, will improve decision making and improve resilience across the board.”</span></p><p style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"><span data-preserver-spaces="true" style="color: rgb(14, 16, 26); margin-top:0pt; margin-bottom:0pt;"> </span></p> <div id="div-gpt-ad-sidebar-mrect-mobile" class="advertisement"></div> </div>
