Starting May 1, banks in the U.S. will be required to notify their primary federal regulator of a cybersecurity incident within 36 hours, a tight turnaround time that could be challenging for some institutions, said David Murphy, cybersecurity manager at accounting firm Schneider Downs.
"It's definitely going to be a challenge, especially for small banks," Murphy said of the new rule, which also applies to bank service providers.
The deadline to comply with the rule comes as the Biden administration has warned U.S. businesses about the increasing risk of Russian cyberattacks.
President Biden has also encouraged businesses to comply with a new law, included in the $1.5 trillion spending bill he signed last month, that requires companies to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of learning of a hack.
The joint ruling issued, by the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve in November, requires financial institutions to adhere to a shorter timeline.
"The 36 hours is actually probably one of the tightest rules out there, as far as timeline goes," Murphy said. "In addition to that, you have to consider what designates a reportable incident."
Under the rule, banks are required to notify their primary regulator as soon as possible and no later than 36 hours after the firm determines that "a computer-security incident that rises to the level of a notification incident has occurred."
In the ruling, the agencies define computer-security incident as "an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits."
Murphy said the agency's language regarding what qualifies as a "notification incident" is fairly broad.
"I think they intentionally left it in that gray area," Murphy said. "They just want you to contact them even if you think that there's a gray area and then they'll let you know. It's going to be a good thing, in general. I think it's going to awaken people to how big the problem is, because I think the industry as a whole doesn't really fully understand."
Murphy said banks will likely need to have internal discussions with their legal departments around what constitutes a reportable incident.
"That's probably something that will be litigated later on," he said.
Escalating threat
"Banks have always had some level of regulation on them as it relates to cybersecurity. But in this case, I think what regulators are trying to do is nail down, ‘How big is this problem?'" said Murphy on the impetus for the rule.
According to a 2022 report by cloud computing company VMware, 63% of financial institutions experienced an increase in cyber attacks in the past year, a 17% increase from the previous year's report.
U.S. banks have been targets for hackers amid escalating international conflicts in the past.
In 2012, Iranian hackers, responding to U.S. sanctions against the country's nuclear weapons program, attacked Capital One and BB&T, causing widespread outages at the two banks.
As next month's incident reporting deadline approaches, Murphy said banks need to have the phone numbers and email addresses of the appropriate agency official readily available in the event of a security incident.
"That information should be ready to go. Thirty-six hours is a short timeline, and there might be some debate," Murphy said. "That's probably going to be the hardest part, debating what meets that threshold."
As warnings and guidance around cyber risks in the banking sector increase, Murphy said it's a good time for a bank's IT staff to highlight the importance of cybersecurity investments.
"It definitely gives the IT staff an opportunity to seek more funding and let the board know that this is an important thing to do and take care of cybersecurity in general," he said.