A new rule would require more from third-party service providers, too.
The Treasury Department’s Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation seek comment on a joint proposal that would expand and hasten reporting requirements for computer security incidents.
Policymakers of the congressionally mandated Cyberspace Solarium Commission have called for a systematic way for critical private-sector entities to share cyber incidents toward gleaning more information about necessary defensive measures. A provision in the House-passed 2021 National Defense Authorization Act called for a Department of Homeland Security study of how to effectively establish such a system. But it was opposed by major industry groups—including the U.S. Chamber of Commerce—who argued it was unnecessary to secure government systems and information, and it was not included in the final bill.
But the vast majority of U.S. critical infrastructure is privately owned or operated, and according to a notice set to publish Tuesday in the Federal Register, current regulations don’t capture the full scope of events that could affect the financial stability of the United States or provide enough time for the agencies to appropriately respond.
The Gramm-Leach-Bliley Act, for example, sets the expectation that banking organizations notify their federal regulators “as soon as possible” if they become aware of “an incident involving unauthorized access to, or use of, sensitive customer information.” But there is a whole range of computer security incidents not included in that category.
Under the new rule, an incident requiring notification, or “notification incident,” may include “major computer-system failures, cyber-related interruptions, such as coordinated denial of service and ransomware attacks, or other types of significant operational interruptions.” Banking organizations would be required to report such incidents as soon as possible and no later than 36 hours after they “believe in good faith” one has occurred.
Certain organizations are currently required under the Bank Secrecy Act to file reports of suspicious criminal activity within 30 days. But apart from, again, not capturing the scope of relevant cyber incidents, the agencies said the law, “does not provide the agencies with sufficiently timely notice.”
The agencies’ proposal would also require bank service providers—firms that perform functions such as accounting as well as the underlying components of such activities—to report computer security incidents they “believe in good faith” could be notification incidents to their banking organization customers. The third-party service providers would have to report such incidents immediately to at least two individuals at the banking organization.
This supply chain element would be key for mitigating events such as the high-profile SolarWinds hack.
Speaking during an Aspen Institute event on that intrusion Thursday, Luta Security founder and CEO Katie Moussouris said the main reason companies hesitate to report cyber incidents is because they fear liability associated with lapses in their cybersecurity practices.
The financial sector agencies said “the notification, and any information provided by a banking organization related to [an] incident, would be subject to the agencies’ confidentiality rules.”
Describing the benefits of the rule, they said in cases where incidents appear to be isolated events, receiving notice would “enable the primary federal regulator to facilitate and approve requests from banking organizations for assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection.” This would allow for agreed-upon assistance and coordination with other government agencies on incident response and recovery efforts, according to the proposed rule.
And in cases where similar incidents are occurring at multiple organizations, the reporting could be used “to improve guidance, to adjust supervisory programs to limit the reoccurrence of such incidents in the future, and to provide information to the industry to help banking organizations protect themselves against future computer-security incidents.”
The agencies provided a 90-day public comment period to receive feedback on the proposed rule.