(Reuters) – U.S. banking regulators on Thursday finalized a rule requiring banks to report any major cybersecurity incident to the government within 36 hours of discovery.
Separately, the banking industry said it has completed a massive cross-industry cybersecurity exercise aimed at ensuring Wall Street knows how to respond to a ransomware attack threatening to disrupt a range of financial services.
The developments highlight the growing threat that large-scale cyber incidents pose to financial stability.
“The financial services industry is a prime target, facing tens of thousands of cyber attacks every day,” said Kenneth Bentsen, CEO of the Securities Industry and Financial Markets Association, which organized and led the industry’s exercise.
The new banking rule states that banks must notify their primary regulator of a significant IT security breach as soon as possible, and no later than 36 hours after its discovery.
Banks should also notify customers as soon as possible of a cybersecurity incident if it causes problems lasting longer than four hours.
The new requirement applies to any cybersecurity incident that could have a significant impact on a bank’s ability to provide services, conduct its operations or jeopardize the stability of the financial sector. The rule has been approved by the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.
It sets explicit expectations on how quickly banks should report cybersecurity breaches, as regulators seek to catch up with the growing role that technology is playing in all types of banking services. Previously, there was no specific requirement for how quickly a bank should report a major IT breach.