US banks: 36 hours to report a cyber incident

US financial regulators have adopted a new rule requiring banking organizations to report any significant cybersecurity incident within 36 hours of its discovery. Until now, banks had no specific deadline for declaring and reporting a major computer failure.

Number of reported cyber incidents up 54

The massive adoption of teleworking during the lock-in period has put the finance sector at the forefront of cyber-incidents. A note recently published by the French Treasury reveals that these risks are insufficiently taken into account. Indeed, it shows that banks and insurers were the most affected by computer attacks or breakdowns, accounting for 25.3% of incidents, ahead of services (24.4%) and public administrations (15.6%).

The sudden use of teleworking is not the only factor likely to explain this significant exposure to cyber risk. The financial sector is all the more concerned because it is highly digitized. In its note, the French Treasury points out that the main market structures and a large proportion of banking activities are entirely paperless.

However, quantifying incidents is not easy, as the scope of cyber risk is constantly evolving, and there is no real transparency on the subject. Qualifying them is equally tricky, as each country has its own tools. For example, the Bank for International Settlements (BIS) uses a specific lexicon to classify failures or attacks according to the material causes of an incident, its malicious or accidental nature, its consequences and the actors involved.

Obligation to report cyber security incidents within 36 hours

From April 2022, US banks will be required to report significant incidents to federal authorities within 36 hours. In Europe, banks supervised by the European Central Bank (ECB) have been subject to this obligation since 2017.

The incidents that will have to be reported are those that are reasonably likely to have an impact on " the viability of their operations, their ability to provide products and services, or the stability of the U.S. financial sector ".

These can result from malicious software, non-malicious hardware and software failures, staff errors or other causes. If the incident in question is likely to block customers' access to their accounts for four hours or more, banks will have to inform them " as soon as possible".

This new rule, adopted by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board) and the Office of the Comptroller of the Currency (OCC), is designed to encourage banks to take greater account of the cyber risk that could affect the information transmitted by data providers and, ultimately, lead to a widespread loss of confidence in the payment system.