BID® Daily Newsletter
Jul 12, 2022

BID® Daily Newsletter

Jul 12, 2022

Serious Hack-Attack-You Have 36 Hours to Report It

Summary: CFIs and other banks now have 36 hours to report serious hacks, including those that may disrupt operations, cause material losses or even threaten the stability of the entire financial system. Is 36 hours enough time for CFIs?

In the 2006 movie, Last Holiday, the lead character Georgia bumped her head while working at her Louisiana department store job and the company doctor erroneously gave her a faulty CT scan report - telling her that she had only weeks to live. The extremely short time frame caused Georgia to break free of her timid mold, cash in her nest egg and live it up at a Czech ski resort. She tried snowboarding on a double black diamond run, base jumping off a dam and winning a small fortune at a local casino. Fortunately, she learned she would not die after all, but the liberating trip helped her to overcome her fears to snag her true love and also start her lifelong dream of opening a restaurant as its head chef.
Short time lines can sometimes be a good thing - as long as you're prepared.
A new federal rule requires banks to report serious hacks within 36 hours. While complying might not be that difficult for larger financial institutions, that time frame might prove to be a challenge for community financial institutions (CFIs) with limited resources.
The 36-hour rule was announced in November 2021, with compliance required by May 1, 2022. It is actually a compromise from original language which required financial institutions to report suspected high-level cyberattacks or other serious service disruptions "immediately." Some CFIs may need to beef up reporting capability to deal with the new rule, while also maintaining strong defenses against hacks.
CFIs have had six months to figure out how to handle the new rule. But now that it’s in play, CFIs that encounter issues covered by the rule will see how well they are prepared. The rule defines the trigger for reporting as an incident that "materially disrupted or degraded" core services, or is likely to do so. Hacks that threaten an institution with a material loss are also covered. That last one may be a response to recent, multi-million-dollar ransomware attacks. A company might pay ransomware demands to keep its operations running, but suffer a significant loss as a result.
Institutions with deep IT resources may choose to over-report to ensure that they don't miss an incident that might qualify for the 36-hour rule. How well smaller CFIs are able to adjust remains to be seen.
Banks have plenty of incidents to respond to, including a steady rise in suspicious activity reports (SAR) of all kinds filed by financial institutions, particularly against customers. The increase was most dramatic for cyberattack-related SARs doubling from 2019 to 2021, from around 10,000 to more than 20,000.
Those reports were filed under current rules, which require banks to file suspicious activity reports no later than 30 days after an incident.
The new rule responds to the rising threats and the desire to get information to regulators and the public quickly when serious attacks happen. At its most basic, the new rule addresses incidents that interrupt or threaten to interrupt service for four or more hours. But the rule also addresses worst-case scenarios: attacks that may block an institution's ability to operate or, in the extreme, threaten the stability of the financial system. In any of those cases, an institution has 36 hours to report to regulators and notify customers and contractors.
While 36 hours may sound like plenty of time, it can seem very brief to a short-handed IT team racing to protect a CFI's systems and maintain operations in the face of a serious threat.. Take the time now to prepare your institution for such threats!
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

Acing Regulatory Exams Requires Knowing What Regulators Want
As regulators shift their focus areas for this year’s audits, CFIs should pay particular attention to the new areas that have caught the eyes of regulatory agencies. Knowing what each particular regulator is focusing can be key to acing regulatory exams.
The CRA’s Impact on Successful Community Development
CRA-regulated CFIs play a crucial role in supporting low- and moderate-income communities and small businesses. We discuss how institutions can ensure compliance with the Act, and how it is evolving to meet the needs of today’s world.