IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Banks Must Report Cyber Incidents Beginning in May 2022

U.S. financial institutions are leaders in global cyber defense. Recently approved rules will mandate the reporting of security incidents next year. We explore the topic with cybersecurity expert Michael McLaughlin.

online banking, paying on a smartphone
Shutterstock/PopTika
According to Reuters, “Israel on Thursday led a 10-country simulation of a major cyberattack on the global financial system in an attempt to increase cooperation that could help to minimize any potential damage to financial markets and banks.

“The simulated ‘war game,’ as Israel’s Finance Ministry called it and planned over the past year, evolved over 10 days, with sensitive data emerging on the Dark Web. The simulation also used fake news reports that in the scenario caused chaos in global markets and a run on banks.”

Obviously, these exercises are performed to prevent such a scenario from ever occurring in real life. But in order to improve communication and coordination both domestically and internationally, new rules are being put in place regarding the reporting of cyber incidents.

Back in November, a new reporting rule was approved by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (OCC). The new rule will take effect on April 1, 2022, with full compliance expected by May 1, 2022.

According to TechCrunch, “U.S. financial regulators have approved a new rule that requires banking organizations to report any ‘significant’ cybersecurity incident within 36 hours of discovery.

“Under the rule, banks must inform their primary federal regulator about incidents that have — or are reasonably likely to materially affect — the viability of their operations, their ability to deliver products and services, or the stability of the U.S. financial sector. That could include large-scale distributed denial of service (DDoS) attacks that disrupt customer access to banking services, or computer hacking incidents that disable banking operations for extended periods of time.

“Additionally, banks — which the rule defines as ‘banking organizations’ including national banks, federal associations and federal branches of foreign banks — must notify customers ‘as soon as possible’ if the incident has or might materially affect their customers for four hours or more.”

INSIGHTS FROM LIEUTENANT COMMANDER MICHAEL McLAUGHLIN


I first became aware of these new rules when I saw an excellent LinkedIn post from a trusted industry cyber expert and friend, Lieutenant Commander Michael McLaughlin.

McLaughlin is the chief of Counterintelligence and Human Intelligence (J2X) for the U.S. Cyber National Mission Force at Fort George G. Meade in Maryland. He is an experienced military officer with a proven history of excellence leading complex technology-driven enterprises worldwide. He has designed, built and led successful multinational teams and operations.

McLaughlin has a demonstrated ability to balance creative thinking, technical acumen, strategic planning and operational execution in groundbreaking projects. He has successfully managed multimillion-dollar programs and budgets.

I have had the pleasure to be on webinars on various cybersecurity topics with Michael, and I am always impressed with his fresh, insightful answers to difficult questions.

MORE DETAILS ON THE UPCOMING BANKING CYBER RULES


Here are the details posted on LinkedIn by Lieutenant Commander McLaughlin that received many comments (used by permission):

“Beginning May 1, 2022, financial institutions will have to report major #cybersecurity incidents to federal officials within 36-hours. The final rule establishes two primary requirements: First, the final rule requires a banking organization to notify its primary federal regulator of a cyber incident no later than 36 hours after the banking organization determines that a #cyber incident has occurred. Second, the final rule requires notification of customers as soon as possible when the bank service provider determines it has experienced a cyber incident that has materially disrupted or degraded (or is reasonably likely to materially disrupt or degrade) covered services for four or more hours.

“What is a ‘banking organization’? Any national bank, Federal savings association, or Federal branch or agency of a foreign bank. What is a ‘bank service provider’? Anyone performing services who is subject to the Bank Service Company Act (BSCA).

“Here is what will need to be reported (non-exhaustive list):
1. Large-scale distributed denial of service (#DDoS) attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
5. A computer hacking incident that disables banking operations for an extended period of time;
6. #Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core #business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
7. A #ransomware attack that encrypts a core banking system or backup data.”

INTERVIEW WITH LIEUTENANT COMMANDER MICHAEL MCLAUGHLIN


Michael McLaughlin
Dan Lohrmann (DL): Were there items included in the final reporting rule that surprised you? 

Lieutenant Commander Michael McLaughlin (MM): The final rule mandates reporting only for those cybersecurity incidents that cause material harm to a banking organization’s ability to operate. This threshold means that the malicious actors targeting the financial sector must be successful in their attack in order to trip a reporting requirement. In other words, if a banking organization is successful in thwarting a cyber attack, there is no requirement to share information about that attack to the broader financial sector. That means the same actors could target multiple banking organizations in succession, and the activity would only be reported where the actors cause “actual harm” that results in an inability of the banking organization to deliver services to its customers. Given the increased focus on transparency and information sharing in response to the recent surge in both ransomware and nation-state cyber activity, this requirement seems out of sync with similar regulations governing other critical infrastructure sectors.

DL: Are there items that will be difficult for banks to comply with by the deadline? Or was this fairly straightforward and expected?

MM: The rule specifies that the deadline is 36 hours after the banking organization determines that a notification incident occurs. The clock starts not upon identification of a breach or compromise, but upon a bank’s own subjective determination that the compromise has “materially disrupted or degraded” its ability to operate. Contrast this with the TSA’s requirements that railways report within 24 hours and pipeline operators report within 12 hours of the discovery of a cybersecurity incident. Given the more strict requirements levied upon other critical infrastructure sectors, this requirement does not appear to be overly onerous.

DL: Are other critical infrastructure sectors going to be next? How soon do you expect this to happen?

MM: Many critical infrastructure sectors already have reporting rules in place, including the defense industrial base, transportation and health care. Given the recent surge in ransomware attacks targeting critical infrastructure, we are very likely to see reporting and other cybersecurity requirements applied to all critical infrastructure sectors within the next one to two years.

DL: Are there aspects of this rule that will (or should) provide guidance to other sectors even if reporting is not required? 

MM: The application of this rule to bank service providers is significant. Outsourcing of certain services is increasing across all industries, and with it comes increased threat of inheriting third-party cybersecurity risk. Mandating incident notification requirements not just for banking organizations but also for bank service providers aims to ensure that incidents affecting third parties are reported as well. Across all critical infrastructure sectors, reporting requirements cannot be designed in a vacuum and must take into account third-party risks.

DL: Anything else you want to add?

MM: The primary difference between this rule and other recent cybersecurity requirements — such as TSA’s recent directives governing the cybersecurity of pipelines and rail — is this rule merely imposes a reporting requirement. Other critical infrastructure sectors are obligated to have designated cybersecurity coordinators; required to conduct and document vulnerability assessments; and have much lower thresholds for mandatory reporting, including unauthorized access to systems, discovery of malware, physical attacks or a cyber incident that results in any type of operational disruption, among others. Given the importance of the financial sector in day-to-day life, coupled with the significant increase in ransomware activity targeting every sector, this reporting requirement does not seem to reflect the overall risk of a cyber attack on banking organizations.

FINAL THOUGHTS


No doubt, some readers are wondering why I highlight this financial reporting rule change in this government technology blog. The reason comes from this answer from McLaughlin, which I agree with:

“Given the recent surge in ransomware attacks targeting critical infrastructure, we are very likely to see reporting and other cybersecurity requirements applied to all critical infrastructure sectors within the next one to two years.”

So is mandatory reporting of cyber incidents coming for state and local governments? I personally believe it is coming by the end of 2023. In fact, it is one of my 2022 cyber predictions. Specifically, an announcement may be coming by the end of 2022 for implementation by the end of 2023.

The lessons learned by the banks on reporting beginning next spring will be important. And only time will tell what happens next.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.