US regulators seek to tighten cyber incident reporting

New federal rule, mindful of Covid, will force firms to report serious incidents within 36 hours

Stolen credentials are one of the primary gateways for cyber criminals to gain access to systems

US regulators are zeroing in on the design of banks’ critical incident response protocols as a key means of ensuring the safety and soundness of the financial system. High-profile threats from malicious actors affecting banks and their service providers can quickly erode confidence in the current climate.

Although the Bank Service Company Act already allows a bank’s primary federal regulator to examine bank operations performed by third parties, it contains no notification requirement in the event of a service disruption. A proposed rulemaking from federal regulators, set to enter force later this year, will change that.

“It doesn’t matter if the service is being performed by the bank itself or if it’s performed by a third party on behalf of the bank – we’ll have the ability to conduct examinations and to make sure that the third party is meeting the same standards as the financial institution itself,” said Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency, at’s OpRisk Global conference on March 22.

The notice of proposed rulemaking issued by the Federal Reserve, OCC and the Federal Deposit Insurance Corporation in January, will require banks and their service providers to notify supervisors within 36 hours once they learn of cyber security incidents that meet certain criteria that mark them as ‘notification incidents’.

These could include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, system outages by a critical bank service provider, a failed system upgrade or change, a computer hacking incident, or infection by malware or ransomware.

Parallel legislation drafted by the European Union – the Digital Operational Resilience Act – would require financial institutions to report to authorities within one day of a major incident.

During the comment period, which ends on April 12, banks are expected to weigh in on the additional compliance burdens of the new rule. Questions are being asked as to whether computer security incidents should include only those that result in actual harm to the confidentiality, integrity, or availability of an information system, and whether the 36-hour notification requirement should be modified.

During the pandemic, federal regulators have warned banks to make sure their control environments are robust enough to spot potential gateways for malicious actors to gain access, as well as stressing the importance of properly vetted change management processes, with banks having to rapidly redesign many controls to adhere to Covid-19 restrictions, such as permitting front-office staff to trade remotely, and also quickly develop processes to support government stimulus programmes.

If someone hasn’t turned on the security or changed default passwords, they will exploit it
Kevin Greenfield, OCC

Greenfield noted that stolen credentials are one of the primary gateways for cyber criminals to gain access to systems, and regulators are emphasising the need for strong authentication. Firms that implement multifactor authorisation tend to fare better against attacks, he said.

“Malicious actors have access to the same manuals for these tools, and they look to see if it’s misconfigured, and if someone hasn’t turned on the security or changed default passwords, they will exploit it,” said Greenfield.

Speaking during an earlier panel at OpRisk Global, Arthur Lindo, deputy director for policy at the Federal Reserve Board’s division of supervision and regulation, noted that cyber criminals had still been “showing up for work every day” during the pandemic.

Vendor risk underlies many of the operational resilience principles issued last year by US regulators, which are intended to ensure financial institutions maintain critical services during a disruption. The pandemic has heightened the need for due diligence over vendors, many of them in offshore locations where personnel have difficulty accessing systems, and where financial firms may struggle to perform requisite penetration testing.

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here:

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: