Skip to main content
close search
site logo
Dive Brief

Fed, FDIC, OCC approve 36-hour window for reporting cyberattacks

Published Dec. 16, 2020 Updated Nov. 19, 2021
Dan Ennis's headshot
Senior Editor
Federal Deposit Insurance Corp.

UPDATE: Nov. 19, 2021: The Fed, OCC and FDIC approved a final rule Thursday requiring banks to notify their primary federal regulator within 36 hours of determining whether a “significant computer-security incident” could disrupt business or the stability of the financial sector, the agencies said.

The rule, which takes effect May 1, also requires bank service providers, such as technology vendors, to notify affected bank customers as soon as possible of any incident that could materially affect them for four hours or more. 

The rule stems from a proposal the FDIC and OCC first floated in December 2020.

Dive Brief:

  • A proposal Tuesday from the Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency (OCC) would require banks to notify their primary federal regulator within 36 hours of making a good-faith determination that a cybersecurity incident could materially disrupt, impair or degrade their operations, or threaten U.S. financial stability.
  • Tuesday's measure also shifts some responsibility to a bank's technology vendor. Vendors would have to notify affected bank customers immediately of any incident that disrupted services for four hours or more.
  • The proposal attaches a specific timeline to 15-year-old guidance instructing banks to notify their primary regulator "as soon as possible" about incidences of unauthorized access to sensitive customer data. Tuesday's update also covers disruptive incidents in which no customer data is exposed — a category previously left out.

Dive Insight:

The two regulators' proposal comes as banks face both an uptick in cyberattacks and fallout from past incidents. Attacks against the financial sector increased by 238% in the first five months of 2020, Tom Kellermann, head of cybersecurity strategy at VMware, testified on Capitol Hill in June, according to American Banker.

Beyond that, the sting of lost trust still lingers more than a year after a breach, allegedly by a former employee of cloud vendor Amazon Web Services (AWS), exposed the personal data of 106 million Capital One customers.

"The rule proposed by the agencies today provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur,” FDIC Chairman Jelena McWilliams said in a release.

Tuesday's proposal lists several examples of the type of incident that would warrant regulator notification — which could be as simple as phoning or emailing an agency official. Such incidents include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, failed system upgrades that result in widespread user outages and ransomware attacks.

Banks are also still obligated to file suspicious activity reports (SAR) up to 60 days after discovery of an incident.

It is unclear how Tuesday's guidance would have changed Capital One's response to the 2019 breach. A statement posted on Capital One's website, detailing the bank's post-breach actions, doesn't indicate exactly when customers were notified. The bank said it confirmed the breach July 19, but the statement was dated Sept. 23 — likely after the SAR was filed. News of the breach broke July 30, a day after FBI agents arrested the suspect in the case.

Nonetheless, the proposal puts an obligation on tech vendors, a facet that was missing in both the Capital One breach — when an AWS official said the burden of cloud security fell on customers — and in the case of a 2018 BB&T outage.

That bank, now part of Truist, sued vendor Hitachi Vantara, claiming the company was responsible for the "catastrophic" outage, which kept millions of customers from accessing the bank's online, mobile, ATM and wire transfer services for 15 hours over several days.

The outage cost the bank "about $15 million in lower deposit service charges and about $5 million in higher operating expenses," Daryl Bible, now CFO of Truist, told analysts in April 2018, according to the Winston-Salem Journal. The bank spent $300 million to build redundant data systems to prevent a similar outage, CEO Kelly King said, according to American Banker.

Tuesday's proposal will be open for public comment for 90 days.

Editors' picks

  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024
  • Consumer Financial Protection Bureau Director Rohit Chopra testifies before the Senate Banking, Housing and Urban Affairs Committee April 26, 2022 in Washington, DC.
    Image attribution tooltip
    Win McNamee via Getty Images
    Image attribution tooltip

    CFPB issues final rule on open banking

    Payment apps are included in the data-control rule, in a change from last year’s proposal. Banks and credit unions with less than $850 million in assets are exempt.

    By Dan Ennis • Oct. 22, 2024

Company Announcements

View all | Post a press release
Zingly Announces a Proven, Safe-AI Solution for Banks and Financial Institutions to Drive Reve…
From Zingly.ai
October 28, 2024
Congressman urges CFPB to support SoLo Funds’ community-focused lending model
From Solo Funds
October 30, 2024
WyHy Federal Credit Union Goes Digital with Narmi Account Opening
From Narmi
October 29, 2024
Bank Midwest Partnership with Newgen Continues to Amplify its Digital Banking Capabilities
From Newgen Software
October 24, 2024
Editors' picks
  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024
  • Consumer Financial Protection Bureau Director Rohit Chopra testifies before the Senate Banking, Housing and Urban Affairs Committee April 26, 2022 in Washington, DC.
    Image attribution tooltip
    Win McNamee via Getty Images
    Image attribution tooltip

    CFPB issues final rule on open banking

    Payment apps are included in the data-control rule, in a change from last year’s proposal. Banks and credit unions with less than $850 million in assets are exempt.

    By Dan Ennis • Oct. 22, 2024
Latest in Regulations & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell