Meet Ai3, the DTEX Risk Assistant. Fast-track effective insider risk management with guided investigations.

WORKFORCE CYBER
INTELLIGENCE AND SECURITY

BLOG

A Human-centric Approach to Operational Awareness and Risk Management.

FDIC and OCC: What Financial Services Organizations Need to Know About the New Cybersecurity Incident Notification Rule

Business team working together. Businessman using tablet for analyzing data stock market in monitoring room with team pointing on the data presented in the chart on screen, forex trading graph, stock exchange trading online, financial investment concept. insider risk management

Data breaches are top of mind for everyone. Security professionals work in the trenches every day to prevent incidents before they happen. Consumers are up every night worrying that their private data is for sale on the dark web. The general consensus is that we should do whatever we can to make our personal data more secure. For many industries, this is not just a noble goal, but a regulatory requirement.

This is particularly true for the Financial Services industry. Many existing federal and state laws require strong data protection programs. Despite the heightened regulations, data breaches are about to become even more top of mind for U.S. Financial Institutions.

In the run up to Thanksgiving, U.S. banking regulators (OCC, FDIC) issued a final rule that requires Banks to notify their primary regulator within 36 hours when facing a “computer-security incident” that rises to the level of a “notification incident.” The rule further requires banks to notify customers when there will be a service disruption of four or more hours.

The rule, which takes effect April 1, 2022, defines a qualifying cybersecurity incident as an event that “results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

As enforcement of this rule takes effect, it will be imperative for Financial Institutions to identify cybersecurity incidents quickly. If you don’t know an event has happened, you can’t comply with reporting requirements. Ignorance will be no excuse when it comes to compliance audits after the fact. The financial exposure to compliance lapses can be significant.

One might argue that it would be wise to report aggressively and frequently to avoid the potential for regulatory backlash. This approach will likely lead to a loss of trust with your customers. Therefore, it is equally important to prove that there wasn’t a breach when you need to.

Ultimately it comes down to having clear and actionable insight into what is happening in your organization at all times. This is where DTEX can help you to identify high-risk behaviors, including policy violations, in near real time so that you can move quickly to mitigate the risks of data exfiltration. Put yourself in a strong position to know exactly when you need to report, and more importantly, mitigate risks preventively to avoid needing to report in the first place.

Learn more here to secure your organization and reduce your exposure to:

  • Monetary losses from data exfiltration
  • Regulatory fines
  • Erosion of market share from loss of customer confidence

Read the full FDIC rule here: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf