The news: Banks in the US face new reporting requirements of major cybersecurity incidents to regulators and consumers, per a new rule adopted by three regulators.
More on this: The rule obligates banks to inform their primary federal regulator about significant incidents within 36 hours of their determination that they took place.
The regulation was green-lit by the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the FDIC. It takes effect on April 1, 2022, and banks must comply by May 1, 2022.
The rationale: Banks and their customers are increasingly on the receiving end of cyber attacks. The rule’s overview cites US Treasury Department data showing that the number of related Suspicious Activity Reports has ballooned, going from 1,221 in 2018 to 20,086 in 2020.
Regulators outlined how they want the rule to improve their responses to cyber attacks through:
The big takeaway: The requirements mandate transparency, which could improve consumers’ trust in their banks and empower them to take steps sooner to reduce personal data risks.
The changes will also result in quicker action from officials to squelch any spread in the severity of cyber attacks.In some recent incidents, customers have been kept in the dark for for a week or more:
Banks with lagging cybersecurity disclosures risk undermining the trust of their customers, which is bad for business. For example, our 2021 Banking Digital Trust Report shows that security was the highest-rated of six factors for respondents’ determinations of trust, with 78.7% marking it as “extremely important.”
Respondents with above-average digital trust were also likelier to patronize their banks than those with below-average trust: