Financial institutions, including banks, have long been the target of cybercriminals, because they retain large quantities of personal information that is attractive for identity theft, as well as the large amounts of money that could be stolen outright. Banks experience a variety of cybersecurity incidents, such as ransom attacks, malware, data breaches and distributed denial of service (DDoS). These attacks are, at best, highly inconvenient and detrimental to business operations, while others put bank customers’ data and funds at risk. When a breach occurs, it is important that relevant authorities are notified in a timely fashion.
To improve notification of cybersecurity incidents, this week (January 12, 2021) the US Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Company (FDIC) issued a joint notice of proposed rulemaking for Computer-Security Incident Notification Requirements. The purpose is not punitive, but rather to enable the governing agencies to be aware of the threat so they can help the targeted bank by providing information about a particular type of threat or facilitate and approve requests from banking organizations for assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).
JDSupra reported that “The Proposed Rule would establish two primary requirements. First, a banking organization would be required to notify its primary federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred. Second, a bank service provider of a service described under the BSCA would be required to notify at least two individuals at affected banking organization customers immediately after experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.”
The agencies have invited banks to comment on a notice of the proposed rule; the deadline for comments is April 12, 2021.
More Reason to Improve Cybersecurity Posture
The agencies acknowledge that banks typically report any cybersecurity incidents, but that can take days, or weeks in some cases, so the proposal suggests more stringent timeframes so that incidents are raised more quickly. If this rule is accepted, banks will have even more reasons to improve their cybersecurity defenses; after all, fewer incidents will mean less time spent on compliance paperwork to document incidents.
Although DDoS attacks are not security breaches, they have the ability to prevent access to, or disable, banking services. In early 2020, several Australian banks received DDoS ransom threats, and in August 2020, the New Zealand Exchange (NZX) was hit by a volumetric attack that lasted several days, knocking the Exchange’s website offline. Furthermore, black hat hackers have used DDoS attacks to distract IT security analysts away from more nefarious activity that has led to security breaches. Most banks already have protection in place, but not all DDoS mitigation solutions can handle the increasingly sophisticated and frequent nature of attacks. Legacy solutions may fail to detect small attacks or effectively mitigate multi-vector DDoS. To immediately and effectively defend against attacks, organizations must have automated, always-on real-time DDoS protection in place.
Corero Network Security is a global leader in real-time, high-performance, automatic DDoS defense solutions. Corero’s industry leading SmartWall and SecureWatch technology protects on-premise, cloud, virtual and hybrid environments with a scalable solution that delivers a more cost-effective economic model than ever before.For more on Corero’s flexible deployment models, click here. If you’d like to learn more, please contact us.