The Federal Reserve Board said federal bank regulatory agencies have approved a final rule that seeks to improve information sharing regarding banking system cyber incidents.
Final rule compliance is required by May 1, 2022. The guidance requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines a cyber incident has occurred.
Per the directive, banking organizations are required to provide notification regarding incidents having impacted the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.
Additionally, the rule stipulates a bank service provider must notify impacted customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or likely to have a bearing on customers for four or more hours.
The Federal Reserve Board maintains computer-security incidents can result from destructive malware or malicious software, in addition to non-malicious failure of hardware and software, personnel errors, and other causes.
The agency indicated cyberattacks targeting the financial services industry have increased in frequency and severity in recent years, determining the cyberattacks can have a dire impact on banking organization networks, data, and systems and their ability to resume normal operations.