[BreachExchange] U.S. banks must report hacks within 36 hours, new rule says

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Fri Nov 19 10:31:51 EST 2021


https://www.seattletimes.com/business/u-s-banks-must-report-hacks-within-36-hours-new-rule-says/


Banks must report major cyberattacks to regulators within 36 hours if the
incident is likely to disrupt their business, according to a new rule from
U.S. regulators.

Any “computer security incident” that threatens a lender’s operations,
services to customers or the stability of the financial system has to be
disclosed to the bank’s primary government watchdog, according to a rule
issued on Thursday that is set to go live on May 1.

The regulation, approved by the Federal Reserve and other banking agencies,
will also extend to companies that provide services to banks. Those firms
will be asked to notify their bank clients as soon as possible when
disruptions are expected to affect customers for more than four hours.

Possible examples of incidents that firms should report include large-scale
distributed denial of service attacks or a computer hack that knocks out
banking operations for more than a brief period, according to the rule from
the Fed, Office of the Comptroller of the Currency and Federal Deposit
Insurance Corp. The 36-hour clock starts as soon as the bank is aware of an
incident, according to the rule.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211119/18165110/attachment.html>


More information about the BreachExchange mailing list