Banking Organizations May Face New Breach Notification Requirements from US Regulatory Bodies

US regulators have released a Notice of Proposed Rulemaking (NPRM) that would oblige banking organizations and bank service providers in the country to adhere to more stringent reporting requirements for security incidents. The rule would require notifications of any “computer-security incident” that rises to the level of a “notification incident” within 36 hours of the organizations discovering the incident.

The proposed regulation, entitled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule), would also oblige bank service providers to notify at least two individuals “at affected banking organization customers” immediately after a security incident disrupts, degrades or impairs services for at least four hours.

The notice, released January 12 by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC), follows an increase in cyberattacks reported to federal law enforcement in the past years.

“These types of attacks may use destructive malware or other malicioussoftware to target weaknesses in the computers or networks of banking organizations supervised by the agencies,” the notice reads. “Some cyberattacks have the potential to alter, delete, or otherwise render a banking organization’s data and systems unusable. Depending on the scope of an incident, a banking organization’s data and system backups may also be affected, which can severely affect the ability of the banking organization to recover operations.”

The regulation also lists computer-security incidents that should be considered “notification incidents,” such as:

  • Large-scale DDoS attacks that disrupt customer account access (for four or more hours)
  • Widespread system outages and undeterminable recovery time experienced by a bank service provider used by a banking organization
  • A hacking incident that disables or disrupts banking operations for an extended period of time
  • The dispersion of malware on a financial institution’s network that would call for the organization to take all Internet-enabled network connections offline
  • Ransomware attacks that encrypt core banking systems or backup data

If the Proposed Rule passes, regulatory reporting obligations for banks and banking service providers will increase sharply, subjecting organizations to the most stringent federal incident reporting regulations to be implemented in the United States.

1 in 4 people is likely to be a victim of data breaches. Have you ever been exposed? Find out now with Bitdefender’s Digital Identity Protection.