Until recently the FDIC had no requirement for a banking organization to report a cyber incident.
The new regulation titled The First Rule states any banking organization must notify their primary federal regulator of any significant cyber security incident as soon as possible, but no later than 36 hours after the banking organization has determined that a cyber incident has occurred.
So until now (the regulation went into effect April 1, 2022 with compliance by May 1, 2022) banks had no such requirement.
The cyber attributes for such notification:
- An incident has materially affected, or is likely to materially affect, the viability of a banking organization’s operations
- The banking organization cannot deliver its usual banking products and services to customers
- The incident has the ability to affect the stability of the financial sector
If the incident is materially affected or likely to affect the organizations customer base for four or more hours then customers must also be notified.
Banks will need to address how to comply with The First Rule.
The First Rule does not address when a customer has a cyber incident due to their actions.
No comments:
Post a Comment