7 Data Breach Reporting Rules Banks Need to Understand
On May 1, the protocols that US financial institutions must follow after a cybersecurity breach changed, and more changes are yet to come.
This month, three banking regulators began asking banks to report cybersecurity incidents within 36 hours where such violations have caused serious harm or are likely to do so. The three regulators are the Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency.
Banks already faced a number of obligations to report incidents to various parties, and more such compliance burdens are expected to be imposed over the next few years. A little hope a recently signed law on cybersecurity incident notifications will harmonize this network of rules.
Cyber-reporting requirements tend to differ in purpose, but “at the end of the day what all of these regulators are trying to do is promote information sharing,” said Jorge Rey, manager. information security for the accounting firm Kaufman Rossin.
Part of the impetus behind the new rules is a widely held belief that cybersecurity incidents are chronically underreported. Three in four cybersecurity professionals think cybersecurity incidents aren’t fully disclosed, according to a 2018 survey more than 1,500 cybersecurity professionals.
ISACA, an international trade association focused on IT governance, conducted the survey. In a proposed cybersecurity incident notification rule, the Securities and Exchange Commission cited the investigation as evidence of underreporting.
Here is an overview of the existing, proposed and planned requirements that US banks face after a cybersecurity incident.