Banks must begin complying with a new rule that requires them to report certain computer security incidents to regulators within 36 hours, 报告的时间框架可能具有挑战性, 尤其是对小公司来说.

The rule, issued jointly by the Federal Deposit 保险 Corp., Office of the Comptroller of the Currency and Federal Reserve Board of Governors, 呼吁通过电话向监管机构报告, 电子邮件或类似的方法. 尽管该规定已于4月1日生效, banking organizations and bank service providers must comply by May 1.

36小时的时间比较短，因为, 在大多数情况下, regulators tended to allow at least a couple of days for reporting, 大卫·墨菲说, 施耐德唐斯的网络安全经理 & Co. 公司. 对于小型银行来说, handling both reporting and managing the problem itself could be a challenge because of fewer people and resources.

“如果你是一家小银行, 你有一个小的IT团队, you're going to want your IT team focused on dealing with the incident, not necessarily the details around reporting what's happened,”墨菲, 谁在安全方面帮助银行, 在一次采访中说.

银行监管机构, 以及州和其他联邦监管机构, are increasing pressure to report cyber incidents as much as possible, 他说.

“在所有这些规则之前, there was basically no incentive to report that you had some type of computer-related incident, 这就产生了问题,墨菲说. "It basically causes issues with us understanding the scope of the problem."

There has been a rise in ransomware over the past 18 months, 朱莉·伯纳德说, 德勤网络和战略风险团队负责人. 对于大银行来说, 德勤与哪家合作最多, this requirement is "an update to their standard incident response plans. 不是很大的更新, but what they have to figure out is: Who are the various regulators they need to report to? … They're already doing reporting anyway to other industry groups."

Banks are already required to file suspicious activity reports no more than 30 days after initially finding information that may be a basis for a report, 这些报告并不都与网络安全有关. The new rule also applies to certain bank service providers. 按照规定, they need to report to their banking organization customers "as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, 或合理地可能导致, a material service disruption or degradation for four or more hours."

Financial institutions might notify more rather than less to maintain regulatory relationships, and the rules are written about generally significant incidents anyway, 迈克尔·博吉亚说, partner leading the information security group at Davis Wright Tremaine LLP.

"We're not going to try to parse out all the fine points of when you have to notify and when you don't, 内部原因,波吉亚在接受采访时说, describing the perspective of most financial institutions he has spoken with. "We're going to be inclined to notify because maintaining that relationship is very valuable to us, and trying to come up with clever arguments for why we shouldn't have to notify just doesn't make sense in the long run, 真的."

bet9平台游戏提供者的报告要求

Compliance for banks could include informing their service providers through updated contracts or other means. Covered services are those subject to the Bank Service Company Act. 例如，整理和邮寄支票和存款, computing and posting interest and other charges and credits as well as preparing and mailing checks.

Bernard said she is surprised not to have heard more from these third parties about their requirements and how their reporting to banks will work.

"I know that there are others that share the same concern," Bernard said. "So if a bank is dependent on a very large software company for their core banking system, and most often is a cloud-based offering these days … if there's a problem with that piece of software, 他们的分支网络也坏了, 需要怎样的通知链, 即使你在努力解决问题?"

Because service providers do not have direct relationships with the federal banking regulatory agencies, 要把新规定宣传出去是一项挑战, 约翰·盖林格说, 巴拉克·费拉扎诺·科什鲍姆律师事务所合伙人 & Nagelberg LLP). He spoke during a webinar in March co-hosted by Barack Ferrazzano, 美国银行家协会, Fiserv公司. and The 金融bet9平台游戏 Information Sharing and Analysis Center. 大约有120个,000 bank service providers nationwide compared with about 5,000家银行, Geiringer补充道.

Banks need to speak with their service providers about the rule.

"It'd be sensible for a banking organization to update their contracts [and] to have conversations with their service providers,波吉亚说. “‘你们是否提供保险bet9平台游戏?'" Updating contracts is not a requirement under the rule, he added. Borgia advises both banking organizations and service providers under the rule.

The definitions in the rule describe different standards for incidents that banks and service providers must report.

"There will be situations in which a service provider would be required to notify the banking organization, but the banking organization may not be required to notify the regulator,波吉亚说. "So there may be a broader set of incidents that the service providers are required to notify."