Banking organizations dub proposed US cyber notification regulation ‘burdensome’

Written by

Banking groups have objected to elements of a proposed U.S. cyber incident notification rule, saying that its threshold for mandatory disclosure of such events to regulators is overly broad and would lead to over-reporting of incidents.

Under the proposed regulation from the Treasury Department and other regulators, banks would have to notify their regulators within 36 hours of certain kinds of attacks, and bank service providers would have to notify their customers of particularly damaging incidents as well.

“While we support the policy goals of the proposed rule, we believe that, as currently drafted, the proposed rule calls for notification of incidents well below the intended threshold of critical cybersecurity incidents,” wrote the American Bankers Association, Bank Policy Institute, Institute of International Bankers, and the Securities Industry and Financial Markets Association. “As a result, the proposed rule would lead to significant and burdensome over-reporting to the Agencies, contrary to its stated intention.”

As currently written, the rule’s reporting threshold kicks in when a bank “believes” in good faith that an incident “could” disrupt, degrade or impair one of three kinds of banking functions: the ability to carry out operations on behalf of a significant part of its customer base; a line of business that would result in loss of profits; or operations where failure would jeopardize U.S. financial stability.

Instead, the associations proposed in a Monday comment letter, “the notification requirement should include only those incidents that result in ‘actual’ harm and that a banking organization ‘determines’ in good faith are ‘reasonably likely’ to cause the significant harms set forth in the rule.” They also suggested making the requirement on business lines narrower.

The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and Treasury’s Office of the Comptroller of the Currency drafted the cyber notification rule.

The proposed rule comes after a ransomware attack last year disrupted Finastra, a major bank service provider, and after the Securities and Exchange Commission warned of a rising ransomware threat to financial institutions.

Also on Monday, Federal Reserve Chairman Jerome Powell labeled cyber threats the top risk he’s watching for the financial sector.

Cybercrime cost financial services companies an average of $18.5 million each year, according to a 2019 study.

The coalition of banking groups also want to tweak the proposed rule’s timetable for notifying regulators of hacking incidents. The organizations recommended changes to the notification requirement of “no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred,” amending it to “as soon as ‘practicable’ but no later than 36 hours after the banking organization ‘determines’ in good faith that a notification incident has occurred.”

Another part of the rule requires bank service providers — defined in law as organizations that deliver a variety of sorting, bookkeeping and clerical services — to notify banking organization customers when they believe they’ve suffered a damaging breach. The associations broadly supported that requirement, but also modifying it to reflect the similar kind of “believes” versus “determines” language it recommended for banks themselves.