US banks required to report major cyber cases in 36 hours under new law

A new US law set to be introduced in May next year will require banks to report major cybersecurity incidents to federal officials within 36 hours.

According to Cyberscoop, under the new law financial executives will need to be ‘more forthcoming’ about computer system failures and interruptions such as ransomware or denial-of-service attacks that could potentially disrupt customers’ ability to access their accounts.

The rule – called the Computer-Security Incident Notification Requirements for Banking Organisations and Their Bank Service Providers – was confirmed by the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve System.

The 36-hour timeline for banks lies in the middle of the previous suggestions raised by Capitol Hill – which was 72 hours – and the Transportation Security Administration’s timeline of 12 hours. The requirement was first proposed in December last year.

The final rule summary stated, “After considering the comments carefully, the agencies are replacing the ‘good faith belief’ standard with a banking organization’s determinations. The agencies agree with commenters who criticized the proposed ‘believes in good faith’ standard as too subjective and imprecise. Accordingly, the agencies have removed the good faith language from the definition of ‘notification incident’ and have substituted a determination standard in the final notification requirement.”

Copyright © 2021 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst


The following investor(s) were tagged in this article.