A new federal regulation stipulates an unprecedented cybersecurity breach reporting window of 36-hours or less for just about everyone in the banking ecosystem.
The notification timeline in this rule is tight. It’s half as short as the New York State Department of Financial Services’ (NYDFS) cybersecurity event notification requirement and the European Union’s General Data Protection Regulation (GDPR) notification rules, both of which give up to 72 hours.
Who is subject to the 36-hour notification requirement?
Most critically, it has cast a broad net. The provisions cover financial service providers not previously subject to oversight, including everyone from FinTech vendors to check processing firms. It also covers smaller banks with less specialized cybersecurity experience than their larger counterparts.
The final rule, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was issued jointly by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve Banks (FRB), and Office of the Comptroller of the Currency (OCC) and went into effect in May 2022.
The 36-hour maximum is the absolute latest a banking organization can call the regulators, as the rule says to notify them ‘as soon as possible and no later than 36 hours.’ This is a “drop everything and call the agency” moment. Bank service providers must act even more quickly. They have to call or email their banking institution clients as soon as possible.
What resources will be required to notify customers of breaches?
Most large and midsize banks already have the teams, processes and infrastructure in place to meet these latest requirements. Those who have not made the same investments in their incident management program will be the most impacted by this new rule, namely smaller and less-prepared banks, and bank service providers.
These organizations may struggle to respond to and report on a cybersecurity incident if they’ve never been through a big one before. In fact, it may be hard for many of them to even know where to start in order to figure out how long it would take for them to inform regulators or bank institution customers about a cyber incident.
Key indicators of breach detection and notification readiness
There are several key performance indicators (KPIs) that leaders at small financial institutions can use as a litmus test to see whether these capabilities are up to the task. These KPIs may not be able to directly tell an organization if it is ready to respond to the new notification window, but they are highly correlated to the readiness necessary for quick breach detection and response.
These KPIs include attack dwell time, detection and response blocking rates, signal to noise ratios. If your organization does not measure these KPIs, that may be a sign that it is time to seek outside help to assess your cyber readiness.
How can banks and service providers proceed?
Before resource-constrained organizations allocate tens of thousands of dollars on penetration tests or other expensive security assessments, they should consider their options.
ActZero can help companies prepare for this rule with a free, finance-focused look at their response capabilities and whether they're ready to rapidly report on the fallout.
The ActZero Ransomware Readiness Assessment for Finance Entities provides a low-cost, hassle-free, and effective assessment.
The free readiness assessment provides:
The process takes about four hours and provides an objective barometer measuring the organization’s preparedness to meet this latest round of regulation from the FDIC, FRB, and OCC.
Financial institutions can benefit from this free third-party assessment in other ways beyond understanding compliance readiness.
They receive immediate intelligence about compromised account credentials on the dark web, as well as an early warning of attacks targeting their peers. Furthermore, they get to test their mettle against simulations of advanced ransomware to understand how their current security stack stood up, culminating in a simple-to-understand percentage of motions blocked and a comparison of what that score would be if they had additional cyber readiness resources. In fact, some financial organizations may also want to extend this assessment into a more thorough ActZero Blueprint for Ransomware Defense, which provides a complete plan for improving their entire cybersecurity risk management posture.
To learn more about the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, check out our eBook here. For more information on how to schedule a readiness assessment, fill out a form here.