26 November, 2021

Even That’s Too Long. 36 Minutes Would Be Better.

And if I thought it was possible, i would say 36 seconds.

Banks must report major cyber incidents within 36 hours under finalized regulation – CyberScoop

Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday.

Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers’ ability to access their accounts, or impact the larger financial system.

The rule, dubbed the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was cemented by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation. There is currently no specific window that banks must repot such incident to the agencies in question.

Seriously, this is a great improvement. And having been through a cybersecurity incident, I understand how reporting earlier is likely to lead to misinformation and confusion. When we went through ours, I think it was several days before we had a good idea of what had happened and how, and longer than that before we determined the impact.

But everyone needs to be better and faster on these. And better at preventing them.

No comments:

Post a Comment