"What the new information security reporting standards mean for financial institutions" by Jeffrey P. Naimon, Moorari K. Shah, and James C. Chou (Cybersecurity Law Report)
Cybersecurity Law ReportJeffrey P. Naimon, Moorari K. Shah, James C. Chou
Regulators recently proposed new rules that would require banking institutions to notify their primary regulators of some computer-security incidents within 36 hours, and service providers to notify regulated entities as soon as possible of any incident affecting its operations for four hours or longer. The FDIC, OCC and Federal Reserve jointly issued their rulemaking in December 2020, just as the massive SolarWinds hacking incident emerged into public view.
Concerns about the SolarWinds breach, election security, and the increasing digitalization of global markets – accelerated by the COVID-19 pandemic – have reinvigorated government efforts to improve the nation’s cybersecurity posture. Congress, adopting several key recommendations of the Cyberspace Solarium Commission, included language in the 2021 National Defense Authorization Act that would expand the scope, authority and resources allocated to the recently established Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security, reflecting the priority of many top federal officials advocating for the government and the private sector to have stronger and more resilient defenses against cyber threats.
In this article, we discuss the regulatory environment, including the NYDFS Cybersecurity Regulation and the proposed expansion to GLBA, and detail the new proposed joint rules and their potential implications.
Originally published in Cybersecurity Law Report; reprinted with permission.