Three Immediate Actions for Financial Institutions and Bank Service Providers
Financial institutions, banking organizations and bank service providers will soon be on the clock for reporting cyberattacks. The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (the Fed) and the Office of the Comptroller of the Currency (OCC) issued a new rule called the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers. Finalized on Nov. 18, 2021, the new rule gives financial institutions 36 hours to notify the institution’s Federal regulator, once the organization determines that a computer-security incident that rises to the level of a “notification incident” has occurred. The rule also requires “bank service providers” (as defined in the new rule) to notify each affected banking organization customer when it is determined a computer security incident has caused, or is reasonably likely to cause, a material service disruption or degradation of four or more hours.
You may read the full rule text here.
Financial institutions have seen a marked increase in cyber events and data breaches. Ransomware has been especially damaging to bank operations. According to a report by Trend Micro Incorporated, the financial institution industry experienced a year-on-year increase in ransomware attacks of 1,318 percent during the first half of 2021.1 This new rule is an attempt to limit the impact of a criminal security incident by providing the Federal banking regulators early awareness a cybersecurity threat before it becomes systemic in the financial industry.
The final rule takes effect on April 1, 2022, with a compliance date of May 1, 2022, so financial institutions should use the time to review and test incident response policies, consider additional IT security measures to further protect sensitive information, and evaluate reliance on third-party service providers.
Because the new rule requires financial institutions to notify their primary Federal regulator (i.e., FDIC, the Fed or OCC) within 36 hours, it is critical that financial institutions have processes in place to meet these requirements.
Here are three steps your organization can take now to ensure you are ready when the new rule takes effect:
| 1 || Review your incident response plan – Update your policies and procedures and validate your organization can meet the new regulatory requirement. The plan should clearly outline understanding of what constitutes a cyber incident and who to contact. |
| 2 || Test your response processes – In addition to adapting your response policy, it is important to confirm all internal stakeholders are aware of the new rule and what is required for the notification process. Conduct table-top exercises and in-depth simulations to make sure your response and documentation is accurate, effective and compliant. |
| 3 || Strengthen cybersecurity processes – Implementing an effective information security program helps prevent the likelihood and impact of a cyber incident, such as ransomware, data theft or fraud. |
How DHG can help
The Cybersecurity Advisory team advises financial institution clients with developing, enhancing, and testing their incident response plans and capabilities. We support Internal Audit departments with audits based upon the FFIEC Cybersecurity Assessment Tool (CAT), as well as assessments of cybersecurity programs against industry standard frameworks.
We welcome the opportunity to collaborate with your financial institution to help protect your sensitive information and customer’s data. Please contact Tom Tollerton at email@example.com.