Report data breaches within 36 hours? Banks are OK with that.

A final ruling by federal regulators on how soon a bank has to report a data breach or computer-security incident gives banks far less time than current state mandates — but also limits the type of incident they have to report.

The rule finalized last week from the Federal Deposit Insurance Corp., Federal Reserve Board and the Office of the Comptroller of the Currency states that if an incident has caused serious harm or is likely to, a bank must report the breach to its regulator of record "as soon as possible and no later than 36 hours." It also requires bank service providers to notify affected banks when they have computer-security incidents that are likely to cause a material service disruption or degradation for four or more hours.

The new rule becomes effective on April1, 2022 banks must be in compliance by May 1, 2022.

Industry observers say the new rule is in keeping with some of the voluntary reporting banks already do.

"I don't see this as something that is going to change life much for anybody, but it will allow regulators to come in and ask what the bank actually knew and when," said Tari Schreider, senior cybersecurity analyst with Aite-Novarica.

Bankers also seemed content with it.

"I describe it as a standardization of what has been a well-worn practice within the banking industry to give early voluntary notice around a lot of different types of incidents or events," said Denyette DePierro, vice president of cybersecurity and digital risk for the American Bankers Association.

States carry different rules regarding data breach notification, but most cite the need to notify the state's attorney general and affected consumers in "the most expedient time possible" with some establishing timelines of no more than 45 days or 60 days after a breach has been determined, according to the International Association of Privacy Professionals' summary of state laws. In some cases, the timeline varies according to the number of people affected. Congress is also investigating breach notification processes beyond the banking industry.

How the new federal mandate will fit in with other regulations isn't quite clear, but the wording in the new federal rule clarifies what banks need to do and is more specific about what constitutes a reportable breach.

The rule requires banks to report any “significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade” the viability of their operations, results in customers being unable to access their accounts, or impacts the stability of the financial sector. A computer-security incident is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

Denyette DePierro, vice president of cybersecurity and digital risk, American Bankers Association
"I describe it as a standardization of what has been a well-worn practice within the banking industry to give early voluntary notice around a lot of different types of incidents or events," says Denyette DePierro, vice president of cybersecurity and digital risk for the American Bankers Association, of regulators' new data breach notification rule.

"When you look closely at this rule, it is trying to identify the actual harm in using terms like 'material' and 'disruption,' " DePierro noted.

The agencies said they reviewed available data and suspicious activity reports involving cyber events against banks in 2019 and 2020 to estimate they could receive about 150 reports annually under the new rule. They did, however, acknowledge the number could increase in the future because supervisory and SARs data may not have captured all such previous incidents.

Discussions between regulators began a year ago, and the federal agencies sought recommendations and feedback from those in the banking industry through the early part of 2021. 

The ABA put together a working group of more than 100 financial institutions of all sizes to study the federal rule proposal and provide feedback.

The working group delivered its input in an April 12 letter to the three agencies that issued the rule. The group asked the federal agencies to avoid vague terms like "good-faith belief" in establishing when a bank feels it is time to report an incident.

"We asked them not to use the good faith standard, but rather asked for a determination on certain facts," DePierro said, adding that actual harm and material disruptions to service, or enterprisewide impact were important, not just the impact on a particular product or business.

The ABA group also stressed that any notification rule should acknowledge the importance of voluntary notification on behalf of banks and their in-house policies, and should not replace current voluntary notification processes. The ABA also expressed concern that without specifics to justify a notification, the new rule might be too broad and could lead to banks' possibly flooding regulators with mundane incident reports.

The regulators apparently took this feedback to heart. DePierro said she views the new rule as a "disruption notice" more than a 36-hour notice. The specific wording in the rule makes it clear what sort of disruption should be reported, and banks typically would report this type of incident in that time frame anyway.

Still, the new rule indicates federal regulators are serious about security information sharing.

"Organizations can't hide behind the excuse of maybe saying law enforcement told us not to tell anybody," Schreider said. "It will eliminate some of these excuses and make notifications more honest and forthright."

It should not be a major burden on banks to comply with the new rule next year, but it should result in closer attention to the notification process, Schreider noted.

"There is no downside to this," he said. "It brings it to the bank board's attention and they should ask what the bank is going to do about this new rule and what kind of rules the banks have in place to comply. As much as anything, a bank board can now point to this as something new in cybersecurity. Unfortunately, that is where we are at in cybersecurity: We need something new to remind us of what to do."

The Financial Stability Board, an international group that monitors and makes recommendations about the global financial system, is calling for the financial sector to develop a common method for reporting cyber incidents as a way to stem a growing threat to bank websites.

Too much cyber-incident reporting remains fragmented across different jurisdictions and sectors, the FSB noted in its October 2021 report.

Fragmentation could undermine a financial institution's response and recovery actions after a breach, the FSB stated. The organization would like to eliminate differences that exist in reporting methodologies, timelines and how reports are used. Such efforts at consistency would lessen constraints in information sharing among financial authorities and financial institutions.

"The FSB is seeking to influence accountability," said Ivan Tsarynny, CEO of Toronto-based Feroot Security, which develops website security software. "More accountability can be very helpful and good for the consumer who has maybe lost a credit card or had checking account information stolen or funds taken from an account."

For reprint and licensing requests for this article, click here.
Cyber security Bank technology Differentiated Data and Advanced Analytics
MORE FROM AMERICAN BANKER