Skip to main content
close search
site logo
Dive Brief

Fed, FDIC, OCC approve 36-hour window for reporting cyberattacks

Published Dec. 16, 2020 Updated Nov. 19, 2021
Dan Ennis's headshot
Senior Editor
Federal Deposit Insurance Corp.

UPDATE: Nov. 19, 2021: The Fed, OCC and FDIC approved a final rule Thursday requiring banks to notify their primary federal regulator within 36 hours of determining whether a “significant computer-security incident” could disrupt business or the stability of the financial sector, the agencies said.

The rule, which takes effect May 1, also requires bank service providers, such as technology vendors, to notify affected bank customers as soon as possible of any incident that could materially affect them for four hours or more. 

The rule stems from a proposal the FDIC and OCC first floated in December 2020.

Dive Brief:

  • A proposal Tuesday from the Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency (OCC) would require banks to notify their primary federal regulator within 36 hours of making a good-faith determination that a cybersecurity incident could materially disrupt, impair or degrade their operations, or threaten U.S. financial stability.
  • Tuesday's measure also shifts some responsibility to a bank's technology vendor. Vendors would have to notify affected bank customers immediately of any incident that disrupted services for four hours or more.
  • The proposal attaches a specific timeline to 15-year-old guidance instructing banks to notify their primary regulator "as soon as possible" about incidences of unauthorized access to sensitive customer data. Tuesday's update also covers disruptive incidents in which no customer data is exposed — a category previously left out.

Dive Insight:

The two regulators' proposal comes as banks face both an uptick in cyberattacks and fallout from past incidents. Attacks against the financial sector increased by 238% in the first five months of 2020, Tom Kellermann, head of cybersecurity strategy at VMware, testified on Capitol Hill in June, according to American Banker.

Beyond that, the sting of lost trust still lingers more than a year after a breach, allegedly by a former employee of cloud vendor Amazon Web Services (AWS), exposed the personal data of 106 million Capital One customers.

"The rule proposed by the agencies today provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur,” FDIC Chairman Jelena McWilliams said in a release.

Tuesday's proposal lists several examples of the type of incident that would warrant regulator notification — which could be as simple as phoning or emailing an agency official. Such incidents include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, failed system upgrades that result in widespread user outages and ransomware attacks.

Banks are also still obligated to file suspicious activity reports (SAR) up to 60 days after discovery of an incident.

It is unclear how Tuesday's guidance would have changed Capital One's response to the 2019 breach. A statement posted on Capital One's website, detailing the bank's post-breach actions, doesn't indicate exactly when customers were notified. The bank said it confirmed the breach July 19, but the statement was dated Sept. 23 — likely after the SAR was filed. News of the breach broke July 30, a day after FBI agents arrested the suspect in the case.

Nonetheless, the proposal puts an obligation on tech vendors, a facet that was missing in both the Capital One breach — when an AWS official said the burden of cloud security fell on customers — and in the case of a 2018 BB&T outage.

That bank, now part of Truist, sued vendor Hitachi Vantara, claiming the company was responsible for the "catastrophic" outage, which kept millions of customers from accessing the bank's online, mobile, ATM and wire transfer services for 15 hours over several days.

The outage cost the bank "about $15 million in lower deposit service charges and about $5 million in higher operating expenses," Daryl Bible, now CFO of Truist, told analysts in April 2018, according to the Winston-Salem Journal. The bank spent $300 million to build redundant data systems to prevent a similar outage, CEO Kelly King said, according to American Banker.

Tuesday's proposal will be open for public comment for 90 days.

Editors' picks

Company Announcements

View all | Post a press release
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Regulations & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell