Acting comptroller urges banks to get on board with cybersecurity incident report rule

Collaboration between regulators and banks to streamline the cybersecurity incident report and threat information-sharing process – as mandated by a rule adopted earlier this year – was the ask to financial industry representatives from the leader of the national bank regulator in remarks he delivered Tuesday.

Speaking to the Financial Services Sector Coordinating Council (FSSCC, an industry-sponsored group that seeks to coordinate critical infrastructure and homeland security activities), Acting Comptroller of the Currency Michael Hsu acknowledged that the financial services industry has done “a good job of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks.” However, he warned against complacency. “In a world of constantly evolving threats, vigilance must be maintained, especially when things are quiet,” Hsu said. “And with increasingly complex dependencies in the provision of financial services, heightened focus on the resilience and recovery capabilities of critical operations is imperative.”

The leader of the Office of the Comptroller of the Currency (OCC) urged the group to join him in committing to the Computer-Security Incident Notification Rule, which he said ensures “timely notification to the primary regulator when a cyber attack impacts operations or the ability to provide services to customers.”

He indicated that if industry joins with the OCC in a commitment to the rule, the result would be a streamlined incident report and threat-information-sharing process. “By doing so, we ensure that critical information is shared with required stakeholders on a timely basis, while working to eliminate duplicative or unnecessary burdens. In this manner, we can work to approach ongoing threats to our sector as a community to strengthen the collective defense of the financial sector and the nation,” Hsu said.

Under the rule, adopted in March by the federal banking regulators and which took effect May 1, the OCC must be notified after a bank determines that a notification incident has occurred. The agency must receive the notice as soon as possible and no later than 36 hours after the bank’s determination, under the rule.

Service providers must also comply with the rule; they must notify any affected banking organization “as soon as possible when the service provider finds it has experienced a computer-security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to such banking organization for four or more hours.”

Acting Comptroller of the Currency Michael J. Hsu Remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council