Security News > 2021 > November > US regulators order banks to report cyberattacks within 3 days
US federal bank regulatory agencies have approved a new rule ordering banks to notify their primary federal regulators of significant computer-security incidents within 36 hours.
Banks are only required to report major cyberattacks if they have or will likely impact their operations, the ability to deliver banking products and services, or the US financial sector's stability.
Examples of incidents that need to be reported under the new rule include large-scale distributed denial of service attacks that disrupt customer account access to banking services or computer hacking incidents that takedown banking operations for extended periods of time.
"Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect banking organizations' networks, data, and systems, and ultimately their ability to resume normal operations."
The new cyberattack reporting rule is designed to boost banking supervisors' awareness of emerging threats to banking orgs and the broader US financial system.
"The final rule seeks to allow the banking supervisors to be informed of the most significant cyberattacks in a timely fashion while avoiding unnecessarily difficult or time-consuming reporting obligations," said FDIC Chairman Jelena McWilliams.