US banks harbor concerns over agencies’ cyber risk rule

Sometimes it does take a sledgehammer to crack a nut. US prudential regulators have finalized a rule requiring banks to report major cyber incidents within 36 hours—a move they hope will help them intervene earlier on attacks that could affect the financial sector as they unfold.

But the rule doesn’t specify how and in what form the information is to be reported—nor does it precisely indicate how regulators will use the information they gather—leaving banks with unanswered questions.

“That’s still a question mark, how much do you provide?” says the chief information security officer (CISO) at the US subsidiary of a European bank. “When it’s free-form, people can give the least amount of data possible. If the goal of regulators is to raise all boats, they should have some minimal standard of what must be reported if they are to share that data [with] the industry.”

In response to questions from WatersTechnology sibling publication Risk.net, a representative of the US Office of the Comptroller of the Currency confirms: “No specific information is required in the notification other than that a notification incident has occurred. The final rule does not prescribe any form or template. A simple notice can be provided to the appropriate agency supervisory office, or other designated point of contact, through email, telephone, or other similar method that the agency may prescribe.”

According to the wording of the rule, banks must notify supervisors within 36 hours once they learn of cyber security incidents that meet certain criteria that mark them as ‘notification incidents’, such as large-scale distributed denial-of-service attacks, system outages by a critical bank service provider, a failed system upgrade or change, a computer hacking incident, or infection by malware or ransomware.

If the goal of regulators is to raise all boats, they should have some minimal standard of what must be reported if they are to share that data [with] the industry

CISO at the US subsidiary of a European bank

The rule also requires a service provider to notify the bank “as soon as possible” once the provider determines it has experienced an incident that has caused, or is likely to cause, a service disruption for four or more hours.

The agencies noted that some commenters had expressed a desire for “efficient and flexible options” for reporting incidents, with agencies observing that normal communication channels may be disrupted during an incident. Some commenters suggested the use of automated electronic notifications.

The agencies concluded that email and telephone are the best methods currently available for effective notification, but said that they might prescribe additional methods as available communication options evolve, with the goal of striking a balance between the needs of regulators to receive timely notification of incidents and the needs of banks for flexibility in the event of a disruption.

“Once the bank understands that this is a significant event, within 36 hours of making that determination, they must give a heads-up to the regulators. If you look at the rule, they’re not looking for full forensics. It could be by email, by phone. There’s no template, no form—it could be a couple of sentences,” says Denyette DePierro, vice-president and senior counsel for cyber security at the American Bankers Association.

On the plus side, say bank cyber experts, the final rule significantly narrows the scope of incidents that need to be reported in comparison to a previous version proposed earlier this year. This was achieved by tightening the language used to define what is reportable, to focus on actual rather than potential harm, and changing the phrase “could” to “reasonably likely” to materially disrupt, degrade or impair customer services.

Ultimately, most view the rule as a standardization of accepted practice at major financial institutions. There are already existing requirements for banks to give notice of cyber breaches. The Bank Secrecy Act, for example, requires banks to file suspicious activity reports with the US Treasury’s Financial Crimes Enforcement Network when a cyber attack results in a theft of customer funds or is used to facilitate criminal activity, such as money laundering. In addition, many institutions voluntarily report large-scale cyber incidents to regulators.

A decent window

The 36-hour window is also viewed as less onerous in comparison with other jurisdictions, such as the European Central Bank, which has a two-hour notification requirement.

“From a day-to-day perspective, is this going to change how we do incident response at this bank? No—because, by comparison internationally, 36 hours is a decent amount of time,” says the CISO at the US subsidiary of the European bank.

Several commentators have suggested that having a central repository of cyber-related incidents could serve a valuable purpose in helping banks learn from others’ experiences, much as they do now through industry working groups such as the Financial Services Information Sharing and Analysis Center. However, much depends on having a standard means of reporting the information.

“What the regulators learn, and how they inform other banks of what’s happening, will allow other banks to take preventative measures. The usefulness will depend a lot on whether regulators leverage it and push it back out,” says Evan Sekeris, a former regulator with the Federal Reserve.

In the rulemaking, the agencies said that notification could help to determine whether the incident was isolated or related to multiple banking organizations. If the former, the bank’s primary regulator might be able to facilitate requests for assistance to the affected bank. If the latter, the agencies could notify other banks of the threat and help co-ordinate incident response. Receiving information on notification incidents at multiple banking organizations could also be used to inform supervisory guidance on computer-security incidents.