Banking and financial
A joint rule issued by federal banking agencies (OCC, the Board of Governors of the Federal Reserve, and FDIC) became effective this month and prescribes new requirements and criteria for banking organizations and bank service providers (BSPs) to follow in identifying and responding to qualifying cybersecurity incidents.
The new banking rule defines a reportable computer security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. Critically, the rule does not define actual harm, although it does provide examples of qualifying incidents, such as DDoS and ransomware attacks.
For banking organizations, only the subset of computer security incidents that fall within the definition of a notification incident are required to be reported. A notification incident, in turn, is defined as a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: