Federal Agencies Approve Cyberattack Rules for US Banking System

Last month, the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board of Governors, and the Federal Deposit Insurance Corp. (FDIC) approved a final rule on how information about cyberattacks should be reported to U.S. banking regulators. According to the new rule, banks are required to report cyber-security incidents within 36 hours of their occurrence.

“The notification requirement for bank service providers is important because banking organizations have become increasingly reliant on third parties to provide essential services,” the regulators said in the rule. “Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization.” 

American Banker highlighted that notification is required if the incident is likely to disrupt their business, including threatening lenders’ operations, services to customers, or the stability of the financial system. 

The rule will also apply to companies that provide services to banks, which will be required to immediately notify their bank clients when disruptions are anticipated to affect customers for four hours or longer. 

A report by Cybersecurity Ventures found that total cyberattack costs are estimated to reach $10.5 trillion by 2025, as new account fraud, account takeover cases, and other types of crimes continue to increase. The Basel Committee on Banking Supervision (BCBS) warned that attackers had become “increasingly sophisticated” and had “more points of access to banks’ systems.” 

Compliance with the final rule is required by May 1, 2022.