Federal banking regulatory agencies have approved a final rule on how information about cyber-attacks should be shared within the US banking system, according to a joint statement published by the Federal Deposit Insurance Corporation (FDIC).
The Office of the Comptroller of the Currency (OCC), Board, and the FDIC have jointly announced that banks will be required to notify their primary federal regulator of any significant cyber-security incident as soon as possible, and no later than 36 hours after it has taken place.
Notification will be required if the incident is thought to potentially have a material impact on the viability of a bank’s operations, its ability to deliver banking products and services, or the stability of the financial sector.
The rule also requires banking service providers to notify affected customers as soon as possible, if it is deemed the incident could impact them for four or more hours.
“The notification requirement for bank service providers is important because banking organizations have become increasingly reliant on third parties to provide essential services,” the regulators stated in a ruling document.
“Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization.”
A report from cybersecurity firm OneSpan revealed the top compliance challenges banks face included preventing cyber-attacks, safeguarding sensitive data, and keeping pace with changes in consumer privacy laws and industry regulations.
According to a report by Cybersecurity Ventures, total cybercrime costs are projected to reach $10.5 trillion by 2025, as account takeover cases, new account fraud, and other types of cyberattacks continue to rise.
In September, the Basel Committee on Banking Supervision (BCBS) warned that malicious attackers in the space had become “increasingly sophisticated” and had “more points of access to banks’ systems.”