The Changing Regulatory Landscape of Cyber Incident Response for Financial Services

In response to the growing number of cyber attacks against financial institutions, there has been a marked increase in the number of regulations designed to ensure that financial services organizations have a plan in place to respond to cyber incidents. These regulations include not only federal and state government regulations, but also federal and state banking and credit union regulations. Failure to comply with these regulations can result in severe consequences, including financial penalties and damage to a company's reputation. In this blog article, we will explore the regulations that financial services organizations must adhere to, the consequences of non-compliance, and how companies can ensure they are prepared to comply with regulatory requirements.

One of the main impacts for financial service providers is the increased responsibility for reporting cyber incidents. Under these regulations, financial institutions and third-party service providers must report any cyber incidents that could impact the confidentiality, integrity, or availability of sensitive customer information. This includes reporting any incidents that result in unauthorized access, data breaches, or other forms of cyber attacks.

The reporting requirements can be complex, and financial service providers must ensure they have the necessary processes and systems in place to meet these obligations. This includes having a clear understanding of what constitutes a reportable incident, developing incident response plans and implementing tools and technologies to detect and respond to cyber threats.

Federal and State Government Regulations

In the last three years, Federal and State Government regulations regarding cyber incident reporting have seen a number of increased responsibilities for financial services, as well as any third party bank service providers. These increased regulations aim to ensure that banks, credit unions, insurance providers, investment firms and their third-party service providers have robust cybersecurity measures in place to protect against cyber threats and minimize the impact of cyber incidents.

The White House this month has released the National Cybersecurity Strategy. The Australian Government has released the 2023 - 2030 Australian Cyber Security Strategy Discussion Paper.

Legislation in the USA

One of the most notable changes in the United States is the passage of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires critical infrastructure operators to report any cyber incidents that could affect the security and risk of the systems to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. 

The Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) issued the Computer-Security Incident Notification: Final Rule which became effective as of May 1, 2022. This update requires regulated banking organizations to create and document a cyber incident response plan and notify either the FDIC or OCC of any cyber incident or breach no later than 36 hours after discovery. 

The Final Rule also requires bank service providers to notify their banking organization customers as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is likely to materially disrupt or degrade covered services for four or more hours. 

‍

The Securities and Exchange Commission (SEC) has proposed several rules that would require various regulated entities to disclose certain cybersecurity-related incidents, each rule with a different time frame. Additionally, the Federal Trade Commission (FTC) is also proposing updates that would require notification of the FTC within 30 days after discovering a data breach affecting or reasonably likely to affect at least 1,000 consumers.

State legislation also applies to financial services institutions, with time frames for reporting being as short as 24 hours. The New York State Department of Financial Services has recently proposed a second amendment to the 23 NYCRR 500, updating cybersecurity requirements for financial services companies. 

‍

A further in-depth explanation of the various regulations affecting financial services in the United States can be found here. 

‍

Federal Legislation in Australia

Likewise in Australia, the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 updated the Security of Critical Infrastructure Act 2018 to include requirements such as implementing cyber response plans and mandatory reporting timeframes. It also increased the number of types of organizations categorized as critical infrastructure to bring the number to 11. 

Consequences of Non-Compliance

Failing to comply with cyber incident reporting regulations can have serious consequences for organizations. According to the Cyber Incident Reporting for Critical Infrastructure Act, organizations that do not comply with the incident reporting requirements may be subject to civil or criminal penalties. 

Regulations are particularly high in the banking and financial sector. The OCC Final Rule requires banking organizations to report cyber incidents to the OCC, and failure to do so could result in civil money penalties and other measures. FinCEN requires organizations to report cyber-related suspicious activity, and failure to do so could result in civil money penalties, injunctions, and other measures. The New York State Department of Financial Services 23 NYCRR 500 outlines the requirements for reporting cyber incidents, and failure to comply could result in monetary penalties, suspension or revocation of licenses, and other measures. 

Being Prepared for Regulatory Changes: 

1. Conduct regular risk assessments to identify potential cyber threats and vulnerabilities within the organization. This will help to ensure the organization is best prepared to address and mitigate any potential issues that may arise.
2. Develop and implement a comprehensive cyber incident response plan, which outlines the steps that should be taken in the event of a cyber incident. This plan should include procedures for incident reporting and notification, as well as escalation procedures for more serious incidents.
3. Establish a dedicated incident response team with a clear chain of command and well-defined roles and responsibilities. This team should be responsible for managing all aspects of the incident response process, including incident reporting and notification (for more information, see this post on understanding cyber response management). Enable them with technology that supports this, and ensure that they are aware of their responsibilities with respect to incident reporting.
4. Where regulatory requirements include allowing external governing bodies access to your organization’s system during a cyber attack, consider how best to enable the need-to-share while maintaining the need-to-know.
5. Develop and maintain strong relationships with external stakeholders, including law enforcement agencies, regulators, and other financial institutions. This will help to ensure that the organization is able to respond effectively to cyber incidents and comply with relevant reporting requirements.
6. Ensure that all systems and applications are up-to-date and regularly patched to address known vulnerabilities. This will help to reduce the risk of cyber incidents and improve the organization's overall security posture.
7. Implement strong access controls and authentication mechanisms to protect sensitive data and systems from unauthorized access.
8. Regularly conduct penetration testing and vulnerability assessments to identify potential weaknesses and address them before they can be exploited by attackers.
9. Stay up-to-date with the latest cyber threat intelligence and best practices, and incorporate this information into the organization's incident response plan and security policies.
10. Conduct regular drills and exercises to test the organization's incident response capabilities and identify areas for improvement. This will help to ensure that the organization is well-prepared to respond to any cyber incidents that may occur.

‍

Watch domain experts from law, technology, cyber response management and enterprise security management discuss the challenges associated with the increased (and increasing) legislative, regulatory landscape of cyber incident response: Regulations and Legislation in Cyber Response: Challenges and Solutions

‍