New Ruling Sets Security Incident Notification Standards Financial Organizations

A new rule issued by the OCC, Board of Governors of the Federal Reserve, and the FDIC requires banking organizations to notify federal regulators within 36 hours of certain security incidents. The ruling, titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, is strengthening the need for enhanced visibility, real-time detection, and intelligent response in the banking industry. The mandatory ruling, which goes into effect on April 1 and becomes enforceable on May 1, is described as "an effort to help promote early awareness of emerging threats to banking organizations and the broader financial system."

The new rule comes at a critical time for banking organizations. The financial services industry is a prime target for adversaries, who are stepping up the frequency and severity of their attacks. To help mitigate damage to banking organizations and their customers from a "computer-security incident," whether malicious or unintentional, the new rule requires federal regulators to be notified as soon as possible when a computer-security incident rises to the level of a "notification incident."

Details of the New Rule

The ruling defines a computer-security incident as "an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits."

The ruling further clarifies that "computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as non-malicious failure of hardware and software, personnel errors, and other causes."

The computer-security incident only has to be reported when it rises to the level of a notification incident, which includes:

• Cyberattacks that prevent customers from accessing their accounts for non-trivial lengths of time
• Widespread system outages to core business applications from bank service providers
• Ransomware attacks that encrypt core banking systems or backup data
• Malware that may result in a threat to an organization's critical operations
• System failures that force banking organizations to activate business continuity or disaster recovery plans
• Cyberattacks that disable banking operations for extended periods
• Failed system upgrades that cause widespread outages for customers and employees

While the examples above are not exhaustive, they do help clarify the scope of events that rise to the level of a notification incident. Ultimately, it's up to banking organizations to consider these incidents on a case-by-case basis and notify the appropriate agency.

Key Takeaways from the New Rule

The important takeaways from this ruling is that the definition of a computer security incident is not limited to malicious events, but can be any event that impacts the IT infrastructure and customer network. It further cements the reality that, when evaluating events and incidents, walls or silos between security, network, cloud, and IT operations can only impede visibility, investigation, evaluation, determination, and eventual notifications of critical incidents.

To remove silos, banking organizations need a unified view of their cloud and on-premises environments to detect, investigate, and respond to incidents. Unfortunately, many security tools and processes create friction by fragmenting incident response and troubleshooting efforts. The ruling also adds pressure for organizations to make intelligent decisions regarding root cause and effect, which is critical to shortening time to respond, but may not be achievable without adding more widespread visibility across the attack surface and IT operations.

While the ruling does not mandate a time limit or define scoping requirements for investigations of events or incidents before determining if said event rises to the level of a notification incident, the spirit of the ruling is to encourage rapid incident investigation and response for the benefit of the entire U.S. financial system.

How ExtraHop Helps You Comply with the New Rule

By taking a network-based approach to securing sensitive banking information, ExtraHop Reveal(x) 360 provides analysts and incident responders with the complete visibility, real-time detection, and intelligent response capabilities required to meet the new, more stringent reporting standards.

By offering contextual data that can be easily shared, Reveal(x) 360 helps eliminate friction between IT operations and security teams, allowing them to respond and resolve incidents faster—malicious in nature or not. Reveal(x) 360 helps banking organizations achieve this through:

Complete Visibility

Reveal(x) 360 provides deep and continuous visibility into east-west and north-south traffic from the data center to the cloud to the user and device edge, even if that traffic is encrypted. Reveal(x) 360 also provides automatic and continuous asset discovery, classification, and dependency mapping across environments for an always-up-to-date inventory.

Real-Time Detection

Reveal(x) 360 uses cloud-scale machine learning with more than 1 million predictive models to detect anomalous and suspicious behaviors, as well as advanced threats, as soon as they occur. High-fidelity alerts with context empower analysts and incident responders to understand what's happening and respond with confidence.

Intelligent Response

Reveal(x) 360 helps security and IT operations teams pivot from detection to forensic evidence in seconds with streamlined investigative workflows. A cloud-hosted record store with 90-day lookback enables deeper forensic investigation and richer reporting. With integrated response automation, you can immediately act on threats.

Threat-Free Network Assurance

For organizations with mission-critical confidentiality, integrity, and availability requirements that need to have complete assurance in the integrity of their network, ExtraHop also provides

Reveal(x) Advisor. A comprehensive offering, Reveal(x) Advisor amplifies Reveal(x) 360 and enterprise security teams with integrated threat investigation, analysis, intelligence and proactive hunting services that shortens incident response and delivers network assurance.

Try Reveal(x) 360 for yourself

To experience Reveal(x) 360 for yourself, start the live online demo. You can stop a SUNBURST attack, find threats in a real cloud environment, or investigate a simulated attack unfolding in real time. You can also choose to explore the demo on your own.