(Reuters) – US banking regulators on Thursday finalized a rule urging banks to report all major cybersecurity incidents to the government within 36 hours of their discovery.
to ensure that Wall Street knows how to respond in the event of a ransomware attack that threatens to disrupt a range of financial services.
The development highlights the growing threat posed by large-scale cyber incidents to financial stability.
"The financial services sector is one of the top targets, facing tens of thousands of cyberattacks every day," said Kenneth Bentsen, president of the Securities Industry and Financial Markets Association, which organized and led the industry exercise.
The new banking rule stipulates that banks must notify their primary regulator of a significant data security breach as soon as possible and no later than 36 hours after the discovery.
Banks must also notify customers as soon as possible of a cyber-security incident if it leads to problems lasting more than four hours.
The new requirement applies to all cyber-security incidents that are expected to significantly affect a bank's ability to provide services, conduct their activities or undermine the stability of the financial sector. The rule was approved by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency. types of banking services. Previously, there were no specific requirements on how quickly a bank must report a major data breach.