7 data breach reporting rules banks need to understand

On May 1, the protocols U.S. financial institutions must follow after a cybersecurity breach changed, and more changes are still to come.

Three bank regulators this month began asking banks to report cybersecurity incidents within 36 hours when such breaches have caused serious harm or are likely to. The three regulators are the Federal Deposit Insurance Corp., Federal Reserve Board and Office of the Comptroller of the Currency.

Banks already faced a number of requirements to report incidents to various parties, and more such compliance burdens are set to go on the books over the coming years. Some hope a recently signed law on cybersecurity incident notifications will harmonize this web of rules.

Cyber reporting requirements tend to differ in their purpose, but “ultimately, what all these regulators are trying to do is promote information sharing,” said Jorge Rey, chief information security officer for accounting firm Kaufman Rossin.

Part of the impetus behind the new rules is a widely held belief that cybersecurity incidents are chronically underreported. Three in four cybersecurity professionals believe that cybersecurity incidents are not fully disclosed, according to a 2018 survey of more than 1,500 cybersecurity professionals.

ISACA, an international professional association focused on IT governance, conducted the survey. In a proposed rule on cybersecurity incident notifications, the Securities and Exchange Commission cited the survey as evidence of underreporting.

Here is a look at the existing, proposed and planned requirements U.S. banks face after a cybersecurity incident.