The FDIC Incident Reporting Rule is No Small Challenge for Financial Institutions
In one of the strictest cybersecurity incident management rulings to-date, starting May 1, banks in the U.S. will be required to notify their primary federal regulator of a cybersecurity incident within 36 hours. How is your company preparing to meet this requirement?
From a cybersecurity, incident management perspective, this represents one of the tightest required turnaround rules across the security industry. It will present a challenge to all banks, but in particular, smaller banks with limited security team resources.
The deadline to comply with the rule comes as the Biden administration has warned U.S. businesses about the increasing risk of Russian cyberattacks.
President Biden has also encouraged businesses to comply with a new law, included in the $1.5 trillion spending bill he signed last month, that requires companies to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of learning of a hack.
In the ruling, the agencies define computer-security incidents as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
The qualifying language regarding what qualifies as a “notification incident” is fairly broad, something that most experts agree was intentional. The law is designed to encourage and promote notification to governing bodies, however, the vagaries of the law also open the door to litigation down the road.
Escalating threat
The new law comes in the face of escalating attacks on financial institutions worldwide, as well as in the US.
According to a 2022 report by cloud computing company VMware, 63% of financial institutions experienced an increase in cyber attacks in the past year, a 17% increase from the previous year’s report with most experts expecting this uptic to be a continuing trend for the foreseeable future.
An Opportunity for the CIO, CISO and InfoSec Teams
This new law definitely provides strong justification for additional resources to both guarantee response times as a reactive solution, and invest in preventative solutions to pre-empt incidents.
The need for more automation and integration of risk management and resiliency tools is clear here.