Policy Insights: FDIC Notification for Cyber Incidents

The FDIC Notification rules has gone into effect this week. Banks and other covered institutions muse report cyber incidents.

Policy insights:

According to Chris Strand, Chief Risk and Compliance Officer, Cybersixgill:

“The new cyber incident reporting rules turn up the heat on U.S. Banks to up their game in terms of quantifying and qualifying a compelling ‘security incident’ or breach. Even though the changes from 72-hours to 36-hours to identify allow banks some additional flexibility in the broadness of notification and greater analysis time on determination of an incident, it could drive some positive trends on how businesses manage and analyze their digital threat surface as well as how they go about reducing the noise and intelligence associated with profiling their enterprise for security.

The shortened window to identify an incident will no doubt endeavor to speed up the identification of an attack before it can proliferate across the enterprise and its integrated partners.  It could also push banks to invest more time and possibly resources on how they measure their business process, their use of data, and find any of the gaps that could make those assets vulnerable.  If the shortened notification drives banks to develop solutions that can identify security gaps faster, this could make its way into other industries and perhaps other regulations where similar themes are developing around analyzing and understanding the threat-scape faster.

One such industry wide theme that could benefit by this new reduced notification rule is the trend towards proactive vulnerability and gap analysis.  Accelerated prioritization of security gaps can play a major role in helping to identify potential security incidents faster or even before a targeted attack happens.  Many cybersecurity regulations and compliance standards have injected vulnerability prioritization into their requirements.  The easiest way to achieve and fulfill that requirement is to proactively understand one’s enterprise assets to the point where the security hot spots or gaps stand out faster.  If that awareness can be driven by the need to demonstrate alignment with the 36-hour window, then it could have a positive effect on driving needed change across the market. “