US federal bank regulatory agencies have finalised a new rule that requires banking firms to report cybersecurity incidents to the regulator within 36 hours of discovery.
The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency have approved the final rule.
Go deeper with GlobalData
In a joint release, the agencies said: “The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred.”
Additionally, the lenders are required to inform the customers of affected organisations as well about the cybersecurity incident if it can impact them for four hours or longer.
The new rule is aimed at helping authorities mitigate the risks cyber incidents pose on the banking and financial system.
“This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic,” the agencies added.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataMeanwhile, the industry trade group Securities Industry and Financial Markets Association (SIFMA) said that it completed a global industry-wide cybersecurity exercise.
The exercise, called Quantum Dawn VI, simulated a ransomware attack to allow financial firms, central banks, and data sharing firms among others to rehearse their response in an event of a cyberattack.
SIFMA president and CEO Kenneth Bentsen said: “A clear takeaway from the exercise is the importance of a robust partnership between the industry and government grounded in information sharing. No single actor – not the government, nor any individual firm – has the resources to protect markets from cyber threats on their own, nor do cyber incidents restrict themselves to one geographic region.”
