Banking groups have objected to elements of a proposed U.S. cyber incident notification rule, saying that its threshold for mandatory disclosure of such events to regulators is overly broad and would lead to over-reporting of incidents.
Under the proposed regulation from the Treasury Department and other regulators, banks would have to notify their regulators within 36 hours of certain kinds of attacks, and bank service providers would have to notify their customers of particularly damaging incidents as well.
“While we support the policy goals of the proposed rule, we believe that, as currently drafted, the proposed rule calls for notification of incidents well below the intended threshold of critical cybersecurity incidents,” wrote the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association. “As a result, the proposed rule would lead to significant and burdensome over-reporting to the Agencies, contrary to its stated intention.”
As currently written, the rule’s reporting threshold kicks in when a bank “believes” in good faith that an incident “could” disrupt, degrade or impair one of three kinds of banking functions: the ability to carry out operations on behalf of a significant part of its customer base; a line of business that would result in loss of profits; or operations where failure would jeopardize U.S. financial stability.
Instead, the associations proposed in a Monday comment letter, “the notification requirement should include only those incidents that result in ‘actual’ harm and that a banking organization ‘determines’ in good faith are ‘reasonably likely’ to cause the significant harms set forth in the rule.” They also suggested making the requirement on business lines narrower.
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and Treasury’s Office of the Comptroller of the Currency drafted the cyber notification rule.
The proposed rule comes after a ransomware attack last year disrupted Finastra, a major bank service provider, and after the Securities and Exchange Commission warned of a rising ransomware threat to financial institutions.
Also on Monday, Federal Reserve Chairman Jerome Powell labeled cyber threats the top risk he’s watching for the financial sector.
Cybercrime cost financial services companies an average of $18.5 million each year, according to a 2019 study.
The coalition of banking groups also want to tweak the proposed rule’s timetable for notifying regulators of hacking incidents. The organizations recommended changes to the notification requirement of “no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred,” amending it to “as soon as ‘practicable’ but no later than 36 hours after the banking organization ‘determines’ in good faith that a notification incident has occurred.”
Another part of the rule requires bank service providers — defined in law as organizations that deliver a variety of sorting, bookkeeping and clerical services — to notify banking organization customers when they believe they’ve suffered a damaging breach. The associations broadly supported that requirement, but also modifying it to reflect the similar kind of “believes” versus “determines” language it recommended for banks themselves.
Bank service providers offered similar feedback to the regulation. The company Fiserv, along with trade groups like the Internet Association BSA | The Software Alliance, objected to the notification requirement for attacks that could cause potential harm, rather than those that demonstrate actual harm.
Fiserv also requested an exemption from the bank service provider’s notification standard to allow for planned maintenance, and for the definition of “computer security incident” to differ between cyberattack-caused outages and regular system outages.
Updated, 4/14/21: The story now includes the filed commentary of bank service providers and their related trade associations.