Bloomberg recently reported that US banking institutions will be required to report major cyberattacks to regulators within 36 hours, according to a new rule issued by the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC). Any “computer security incident” that threatens a lender’s operations, services to customers or the stability of the financial system has to be disclosed to the bank’s primary government watchdog, according to a rule issued on Thursday that is set to go live on May 1.” The regulation also applies to companies that service financial institutions, if their service disruption affects a bank for at least four hours.
This regulation may be intended to protect the financial infrastructure because it is critical to the economy, as well as protecting consumers’ interests and assets. Banks already have some of the most sophisticated cybersecurity systems in any industry, and the toughest regulations, including strict incident notification protocols for actual, or suspected, cyber incidents. Apparently federal regulators found that they have not received notifications quickly enough, since some regulations require that incidents are only reported within 30-days. Furthermore, some financial institutions, especially the smaller ones, are not proactive enough in their incident reporting.
What are the Threats?
There are multiple forms of cyberattacks — such as ransomware, data theft malware, and Distributed Denial of Service (DDoS) attacks— that can impact banking operations. By their very nature, banks face an extraordinary volume and variety of cyber threats, because they are in possession of copious volumes of personal data, as well as currency and other valuable assets. They represent some of the most attractive targets for cybercriminals. And, because so many customers rely on their digital transactions to conduct financial business, banks cannot afford any amount of downtime. A DDoS attack, for example, which can easily result in system downtime, or even mask a security breach, can prevent bank customers from accessing their accounts, or impact the larger financial system. Either scenario can be devastating to a bank’s reputation, and negatively affect consumer trust and loyalty.
What Will be the Benefits or Impacts?
This regulation will, of course, affect strategic decisions for CISOs and many others in their organizations, particularly the network engineers and cybersecurity analysts. It also affects risk mitigation and line of business managers, because it raises the stakes for any cybersecurity mishaps. Banks may be obligated to further strengthen their cyber defenses.
At first, it might seem the best approach is to not disclose cybersecurity incidents to third parties, to avoid any loss of customer trust or brand reputation, or even disclose a potential weakness to further attacks. However, there is an advantage to reporting such incidents, which is that government agencies get greater awareness of the cybersecurity challenges in the financial services sector, and discover common gaps in security practices. Furthermore, by collecting information from various institutions that have experienced attacks, law enforcement agencies may be able to identify the perpetrators, conduct investigations more quickly, and prosecute the cybercriminals more effectively.
Prevention Steps CISOs and Others Should Take
CISOs and many of their colleagues will have to fine-tune their incident response and reporting plans, and update their third-party service vendor risk management procedures. They should also review their definitions of cyber incidents that negatively impact the bank’s services or customers.
Of course, the most important aspect of risk assessment is to prioritize ways to close any security gaps. One of the easier tasks in terms of cybersecurity, which helps to ensure business continuity, is to deploy effective DDoS mitigation defenses. Blocking DDoS attacks is one of the most important things any organization can do, but it is especially important for banking institutions because cybercriminals can easily launch volumetric attacks that take down services and may lead to extortion, by way of ransom demand. Even modest DDoS attacks can impact unprotected security infrastructure, such as firewalls and IPSs, potentially enabling attackers to more easily install malware or exfiltrate data.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.
