Written by Tim Starks
A milestone date for ambitious federal banking sector cybersecurity regulations that debuted at the end of the Trump administration is almost here.
Monday, April 12 is the deadline for comments on a initial proposal this would indicate how a wide range of financial companies should report more types of cyber incidents to regulators within 36 hours. It is a stricter schedule than many comparable regulations; The European General Data Protection Regulation notification window is twice as long, at 72 hours.
The relatively early notification requirement received most of the attention when the Federal Reserve Board of Governors, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Treasury announced the rule in December. The financial services sector is expected to receive a significant return due to overly aggressive demand.
Some analysts, however, cite the types of incident reports that must be filed, and by whom, as the most notable elements of the proposed rule, rather than the 36-hour window.
The rule “Information security incident reporting requirements for banking organizations and their banking service providers†had been in development for months before its rollout in December. But the rule is about third-party vulnerabilities and incident response requirements, two fresh questions on the minds of policymakers after the SolarWinds campaign that went public around the same time, in which attackers exploited the vulnerability of the software vendor to compromise nine federal agencies and major technologies. companies.
As of March 2020, Finastra – a London-based banking software provider for most of the world’s largest banks – revealed that he had suffered a ransomware attack this forced him to disconnect some servers from the Internet. Later, the Securities and Exchange Commission warned on an increase in the sophistication of ransomware attacks in the financial sector.
One of the main provisions of the proposed rule is therefore that banking service providers should for the first time provide notifications to banking organizations when they experience harmful cyber attacks, defined in the rule as those which could “disrupt, degrade or compromise the provision of services. ”
“One of the new things about this and very important is the extent to which it goes beyond the financial services industry to reach banking service providers,†said Arthur Nelson, associate director of the Cyber ​​Policy Initiative. at the Carnegie Endowment for International Peace.
Banking service providers are defined by law as companies that provide “sorting and posting checks and deposits, calculating and posting interest and other credits and charges, preparing and sending checks, statements, notices and similar items, or any other office, accounting. , accounting, statistical or similar functions performed for a depository institution. “
Another major provision of the regulation focuses on what triggers a notification. Under current regulations, banks are already required to report customer data breaches.
The new rule would go further by requiring banks to notify their regulatory agencies of cyber incidents “which could result in the inability of a banking organization to provide services to a significant portion of its customers, jeopardizing the viability of key operations. ‘a banking organization, or impact the stability of the financial sector,’ according to the agencies’ summary.
Examples include distributed denial of service attacks that hinder customer account access for more than four hours, or ransomware that encrypts a basic banking system. The idea is to give agencies a chance to act when an attack causes big problems.
Most major industrial groups are expected to file comments on the rule by Monday’s deadline. Until now, only a handful of small organizations and individuals have provided all of the official responses that appear on regulations.gov. (Several major banking providers did not respond to requests for comment Friday at press time.)
Branches are seeking feedback on issues such as what should define an “IT security incident,” to what extent banking service providers should notify their customers during a disruptive attack, and whether the 36-hour requirement is appropriate. .
The requirement to make headlines within 36 hours is an important part of the rule. Most state data breach notification laws require responses within days or months.
“I think this will be a very difficult rule, if it comes into play as it is currently set, that organizations will have to adhere to,†said David Kessler, head of data and risk information at Norton Rose. Fulbright, a law firm that represents businesses. in the financial services sector. “The reality is that these events tend to be very complicated, especially for financial institutions.”
But there is some leeway in this quick timeframe.
“If you look in real language, it’s very difficult to say, ‘When in 36 hours does the clock start? Nelson said. “They made it clear in the proposal that it doesn’t start when the incident occurs or even when the company first finds out about it.”
Still, the industry could raise concerns about how the proposed rule aligns with international frameworks, as well as a separate track within Congress. to advance incident reporting legislation. International organizations have also considered how to harmonize incident reporting.
Although the rule got its start under the Trump administration, which touted its efforts to reduce federal regulation, few were surprised to see it cross the finish line. There was little evidence that the settlement came to the attention of Trump’s White House during the apolitical bureaucratic regulatory process.
“I don’t think the Trump administration was touching it too much,†Nelson said.
There is no final timeframe as to when the proposed rule could become final after the comment period ends.