FDIC Rule for Banks to Report Breaches
The US Department of the Treasury's Office of the Comptroller of the Currency, the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC) have finalized cybersecurity incident notification requirements for banks. The new rule requires banks to report security incidents to the FDIC within 36 hours after detection. The rule defines a qualifying cybersecurity incident as an event that “results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The rule takes effect April 1, 2022, with full compliance extended until May 1, 2022.
Some will be excited about this 36 hour disclosure timeline, but as an IR practitioner, I'm pretty sure it's not going to be a net positive. First, while it's obvious that hiding a breach is counter to the public's interest, it's not clear what a 36 hour timeline will do to protect customers that a five day deadline won't. Second, every time I've seen accelerated disclosure timelines like this, there's a countering force where organizations try to thread the legal needle of what precisely constitutes an incident. The definition in this case is fairly comprehensive - so much so that it's hard to imagine what doesn't constitute a reporting requirement. Overly broad definitions like this don't serve the public interest. Instead, they provide a convenient excuse for organizations to interpret the rules to avoid "reporting every little thing."
It’s interesting to see regulators outside of the EU adopt GDPR type regulations, in particular with regards to mandatory reporting. However, I hope the FDIC will learn from some of the issues experienced when GDPR was first introduced by ensuring it has enough resources to deal with the volume of reports it will received and that it gives clear guidance as to what determines a breach to be reportable. Finally, it is also critical that reported breaches are followed up to ensure the victim organisations investigate and remediate the breach properly and they simply don’t treat the reporting requirement as a box ticking exercise.
There was a lot of squishy language (like “good faith estimate”) in the original wording that was eliminated in response to comments, a good thing. But, the basic definition of a “notification incident” is still pretty broad. For example, outages cause by service provider downtime that would still not violate the service providers SLAs could be considered a “notification incident.” The other issue will be do the Treasury Agencies use all this data to proactively alert banking institutions of potential coming attacks or is it just a data collection effort?
Work with your regulator to understand the final order as it gets refined and clarified over the next six months. Develop a clear understanding of what the notification criteria mean for your financial institution and be sure you know exactly who and how you are supposed to file the notification with.
Read more in
FDIC: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (PDF)
SC Magazine: New rule says banks now have 36 hours to report a security incident to the FDIC
Dark Reading: US Banks Will Be Required to Report Cyberattacks Within 36 Hours
Cyberscoop: Banks must report major cyber incidents within 36 hours under finalized regulation
GovInfosecurity: Regulators: Banks Have 36 Hours to Report Cyber Incidents