In case you missed it, banking organizations now have several new rules to follow with respect to cybersecurity incident reporting. As of May 1, banks are now required to notify their primary Federal regulator of any qualifying ‘‘computer-security incident’’ within 36 hours.
This final rule – penned by the Department of the Treasury Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation – also requires banking organizations to notify customers “as soon as possible” if such incidents cause (or are likely to cause) four or more hours of material disruption or degraded service.
While this new rule is a necessary step toward greater security in our financial system, your existing resources, including your personnel, might not be currently prepared or equipped to keep up.
To quickly meet the new strict timeframe, Fortalice first recommends that all banking organizations review the new rule passed by the collective of U.S. regulators: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.
Additionally, we strongly urge you to take a comprehensive review of your incident response plans (IRPs) to determine your organization’s current cybersecurity event reporting requirements. These requirements include your mandatory reporting timeframe, who you’re reporting to, and what information you must share.
If this new rule and its various requirements have your head spinning and you need more thorough guidance, the Fortalice team is at your service:
For additional information on Fortalice Solutions service offerings, contact the team via email at firstname.lastname@example.org.
Be healthy. Be safe. Be well.
During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Silicon Valley Bank (SVB) was shuttered early this month and had its deposits seized in the largest U.S. bank failure since the 2008 financial crisis. Although it may seem like SVB’s collapse will only impact its direct customers and depositors, it is far more complicated. Like vultures to roadkill, cyber scammers often wait to exploit and target victims after tragedy strikes, or bad news arises. A perfect storm of stress, uncertainty, and urgency for customers and vendors alike during this time can impair someone’s judgement when they click links and open emails they otherwise would ignore or delete. Fortalice has outlined a few different ways cybercriminals social engineer their victims during times of extreme distress and insecurity.