Cyber Reporting: New Legislation Impacts US Banks
What Are the New Rules?
Cyberattacks on any type of organization can have serious consequences. Cyber incidents that impact computer systems and the theft of personal, financial, or other confidential information have the potential to cause long-term damage to anyone conducting personal or commercial online transactions. Businesses, consumers, and other internet users are constantly exposed to such threats.
Companies that fall victim to a cyberattack are required by law to announce it and report the scale of the damage to the relevant authorities so that they can start an investigation. The authorities will need access to all of the company’s systems and data, so they can see where any intrusion happened and eventually track it down to the attacker.
A cyberattack can be reported at different stages, even if complete information is not available. The following information may be useful:
- who you are
- who experienced the attack
- what sort of incident took place
- how and when the incident was first discovered
- what response actions have already been taken
- who has been informed of the incident
Cyberattacks on private sector organizations should be reported to federal law enforcement agencies’ local field offices, their sector-specific agency, and any of the federal agencies listed below:
If a law or contract requires the impacted institution to report a cyber incident, the institution should comply with that obligation. In responding to the incident, the federal agency that receives the initial report will collaborate with other relevant federal interested parties.
Critical Infrastructure Sectors Required to Report Cyberattacks
On March 15th, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), establishing requirements for banking/financial enterprises that are subjected to cyberattacks.
Organizations that provide critical national infrastructure in the United States are required by the new law to inform the Cybersecurity and Infrastructure Security Agency (CISA) of significant cybersecurity incidents in less than 72 hours and ransomware payments within 24 hours.
The law also gives CISA the authority to issue subpoenas to companies that fail to notify of such incidents on time.
Heimdal™ CEO Morten Kjærsgaard said:
This new law recalibrates the way businesses are working, to ensure an environment where they have to act and give a more sustainable future. Being forced to report cyberattacks – ransomware, especially – is not a bad thing, because if you don’t act, it would only allow cybercriminals to carry on with their illicit activities, and that has to stop.
New Cyber Notification Rule for the US Banks
Starting May 1st, US banking organizations and their bank service providers will be required to inform their federal regulatory agency tasked with being the main supervising entity of the financial institution of a cyberattack within 36 hours, a tight deadline that some enterprises may find difficult to meet.
This is the shortest time required by any law and it will undoubtedly be a challenge to all banks, particularly for small financial institutions with limited security team resources.
It will also be a difficult time for organizations, as their primary focus will most likely be on business continuity and incident response while investigating and reporting for legal reasons. Furthermore, financial institutions will almost certainly need to hold internal discussions with their legal departments about what constitutes an incident that has to be reported.
The deadline to conform to the rule comes as the Biden administration has warned organizations all over the US about the rising threat of Russia-backed cyberattacks. Kjærsgaard added:
In light of the Russia-Ukraine crisis, governments in the EU and the US are 100% right in advocating for stronger security measures at the national, municipal, and even private levels. This new law should receive strong support since the current security situation is critical and demands major investment and improvement!
The FDIC, the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) (collectively, the agencies) issued a joint final rule requiring banks to comply with a shorter timeframe.
As per the rule, banks must alert their primary regulator as quickly as possible and no later than 36 hours after establishing that “a computer-security incident that rises to the level of a notification incident has occurred.”
The rule defines a computer-security incident as an occurrence that causes serious damage to an information system’s confidentiality, integrity, or accessibility, or the information it handles, stores, or transmits.
US Banks, an Appealing Target for Cybercriminals
As shown in a 2022 report published by American cloud computing and virtualization technology company VMware, 63% of banking institutions saw an increase in cyberattacks in the previous year, a 17% increase from the past year’s report.
Given the approaching deadline, now is a good time for the bank’s IT professionals to emphasize the importance of investing in cybersecurity and inform the board that this is a critical thing to do, and also pay more attention to cybersecurity in general. In regard to this matter, Morten Kjærsgaard declared that:
Cybersecurity was never optional. Now, this is just becoming clear to a larger audience.
Cyber security legislation forces businesses and organizations to safeguard their systems and data from cyberattacks such as viruses, trojan horses, phishing, denial of service (DOS) attacks, unauthorized access (stealing intellectual property or confidential data), and control system attacks. Whilst this is not easy to do, it provides long-term benefits for the organization and the entities that they do business with.
If you are interested to see how Heimdal can protect your organization, contact us today to speak with a representative.