Federal government financial regulators are seeking comment on a proposed rule looking to increase accountability for banks that experience cybersecurity incidents by implementing requirements that they report incidents to their primary regulators within 36 hours of discovery.
The proposed rule is scheduled to be published in the Federal Register Jan. 12 and is the result of a combined effort by the Department of Treasury’s Office of the Comptroller of the Currency (OCC), the Federal Reserve System’s Board of Governors, and the Federal Deposit Insurance Corporation (FDIC).
“The proposed rule would require … notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred. This notification requirement is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident,” the notice of proposed rulemaking says.
In addition to requiring banking organizations to notify their primary Federal regulators within 36 hours, the proposed rule also would require service providers for banks to notify at least two people at the bank any time the provider “experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”
The proposing agencies are accepting public comment up to 90 days after the proposed rule is published.