Financial institutions have some of the strictest business regulations in the United States, and with good reason. At the same time, banking organizations are a growing target for cyberattacks.
One study by Trend Micro reported a 1,318% rise in ransomware attacks targeting banks in the first half of 2021.
Now, the federal government is stepping in to provide more security transparency, aimed at detecting damaging cyber incidents early.
Many banks will have just a day and a half to report cyber incidents, under a new rule that will go into effect on May 1, 2022.
A new rule, backed by the U.S. Treasury's Office of the Comptroller of Currency (OCC), the Board of Governors of the Federal Reserve (Board), and the Federal Deposit Insurance Corporation (FDIC), has been approved in an effort to enforce reporting standards related to banks.
Financial institution cyberattack reporting requirements
According to the language of the rule, the federal agencies believe early reporting is key.
"This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic."
The final rule will ask for all banking organizations to report a "notification incident" within the 36-hour time frame to the primary federal regulator. Below, you will see how a notification incident is being described.
"As defined in the final rule, a notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's:
(i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States."
Banking organizations, as described in the final rule, will include "national banks, federal savings associations, and federal branches and agencies of foreign banks."
The rule will begin implementation on April 1, 2022, with complete compliance expected by May 1, 2022.
The FDIC tweeted a quote from Chairman Jelena McWilliams.
Within the final rule, there is a section dedicated to 35 comments received, which provide feedback from financial sector entities, third-party service providers, and other groups and individuals involved with shaping the requirement.
Support for the final rule was in the majority, with only a few commenters opposing regulations.
"A majority of commenters supported the proposal, agreeing that providing prompt notice of significant incidents is an important aspect of safety and soundness, and they supported transparent and consistent notification from bank service providers to their banking organization customers. A number of these commenters offered suggestions to clarify certain aspects of the requirements or lessen the perceived burden. Commenters also generally supported the agencies' efforts to harmonize with existing definitions and notification standards.
Four commenters opposed the proposal, contending that compliance would be burdensome or duplicative of existing requirements, and may impede banking organizations' and bank service providers' abilities to respond effectively to incidents."
Cybersecurity incidents in the U.S. are vastly underreported
Low incident reporting is not exclusive to financial institutions alone. According to Jeremy Sheridan, Assistant Director of the U.S. Secret Service, cyberattacks are severely underreported.
One of the problems of not reporting cyber incidents means the statistics shared may not be a very accurate portrayal of what is really happening. Right now, we are seeing this play out with ransomware.
"We feel that if a payment decision is made, and again, [that's an] individual organization decision, it should be accompanied with reporting to law enforcement. And one of the biggest challenges we have: It's well known that the ransomware crimes that occur, even those that we know, are vastly underreported. The latest estimates are around 20% of actual ransomware instances get reported to law enforcement or insurance or regulators," Sheridan said at SecureWorld Great Lakes virtual conference.
Cindy Liebes, Chief Program Officer for the Cybercrime Support Network, shared details about the exhausting aftermath of cleaning up after a cyber incident. However, she also pointed out that only a small fraction of cybercrimes are actually being reported. Liebes said:
"So, what is the impact of cybercrime? The impact of an online scam is devastating, not only financially, but it's devastating emotionally to the people or the organizations that are impacted. It's said that one in four adults are impacted by cybercrime, and the FBI in 2020 said over 800,000 people reported that they were the victims of a cybercrime and also $4.2 billion of losses were reported. But that's only losses that were reported.
The numbers are staggering. The numbers actually could be as high as $338 billion per year and 15 million American consumers and small and medium-sized businesses and large businesses impacted by cybercrime. This is truly truly an economic crisis that nobody is really talking about."
Will this new rule forge a path in the right direction? Share your comments below with SecureWorld News.
Resources
If you belong to a financial organization, join Prakash Sinha, Technology Executive and Evangelist for Radware, as he presents How to Effectively Secure Open Banking APIs. In this SecureWorld Remote Sessions webcast, you will learn the differences between traditional and open banking, the security implications, and the best practices. Attendees are eligible for CPE credit.
Registration is currently open for SecureWorld's last conference of the year, the West Coast virtual conference on December 2nd. The agenda is packed with expert presentations and panel discussions.
