U.S. banking regulators on Thursday signed off on a new rule that requires banks to report any major cybersecurity incidents to the government within 36 hours of discovery. The final rule, approved by the OCC, the Federal Reserve and the FDIC, orders bank compliance by May 1, 2021.
The final rule also requires a bank service provider to notify each affected customer “as soon as possible” when the bank determines that it has experienced a computer-security incident that has caused or may cause a service disruption for four or more hours.
Examples of events that would have caused this rule to go into effect include a large-scale distributed denial of service attack or a computer hacking incident that disables banking operations.
“Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years,” the regulators wrote in the final rule. “These cyberattacks can adversely affect banking organizations’ networks, data, and systems, and ultimately their ability to resume normal operations.”
Similar standards already exist under the Bank Secrecy Act and the Interagency Guidance for unauthorized access to consumer information; however, these regulations do not include all computer-security incidents. As a result, banking regulators want a more transparent view of the attacks at a much quicker pace.
Within the final rule, the regulators acknowledged the increasing reliance from third parties to provide essential services to banks and the cybersecurity threats that leave them vulnerable.
“Such third parties may also experience computer-security incidents that could disrupt or degrade
the provision of services to their banking organization customers or have other significant impacts on a banking organization,” the final rule states.
The notification requirement was proposed by regulators in December; however, after receiving some negative feedback from industry groups, some elements of the final rule were altered.
“After considering the comments carefully, the agencies are replacing the ‘good faith belief’ standard with a banking organization’s determination,” the final rule states. “The agencies agree with commenters who criticized the proposed ‘believes in good faith’ standard as too subjective and imprecise.
It is important to note there is no written indication of consequences for banks if they do not act in accordance with the cybersecurity rule.
In July, the same three banking agencies issued a proposal on risk management for banks and their third-party relationships. The proposal provides an opportunity for banks and fintech companies to shape an effective risk management framework across the banking agencies – something that has been lacking among the regulators.
Currently, each of the federal banking agencies has its own version of third-party risk management guidance, including the FDIC’s Guidance for Managing Third-Party Risk (2008), the OCC’s Third-Party Relationships: Risk Management Guidance (2013) and the Board’s Guidance on Managing Outsourcing Risk (2013).
However, by technology standards, these regulations appear ancient. Because of the pace at which the fintech ecosystem moves, Thursday’s final rule signified a necessity for banks to self-police in times of crisis.
On Nov. 16, the Acting Comptroller of the Currency, Michael J. Hsu, issued a statement before the Federal Reserve Bank of Philadelphia Fifth Annual Fintech Conference that “[t]hese fintechs are reassembling the three legs of banking [by taking deposits, making loans, and facilitating payments] synthetically, outside of the bank regulatory perimeter” or what he refers to as “synthetic banking.”
Hsu also stated that modernizing the bank regulatory perimeter cannot be accomplished by simply defining the activities that constitute ‘doing banking,’ but will also likely require determining what is acceptable in a bank-fintech relationship.