Want to share this?

Cyberattacks targeting financial institutions have increased in severity and frequency in recent years. Due to the industry’s interconnected nature, and reliance on third-party data partnerships, these attacks can significantly impact banking networks, business continuity processes, and the quality of service banks provide customers. 

To promote early awareness of emerging threats to banking organizations before they become systemic, regulators at the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) collaborated on a rule to establish computer-security incident notification requirements for banking organizations and their bank service providers.

The Computer-Security Incident Notifications (CSIN) rule ensures that the OCC is aware of and can act quickly to mitigate risk from material computer security incidents affecting banks.

CSIN Reporting Timeline and Threshold

The CSIN rule requires banks to notify the OCC as soon as possible and no later than 36 hours after determining that a computer security incident has occurred. The FDIC breach notification requirements and Federal Reserve cybersecurity reporting obligations for financial institutions can all be filed to the same OCC form.

The rule defines a computer security incident as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

The rule defines a computer security incident as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

A notification incident generally includes a significant computer security incident that disrupts, degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, results in customers being unable to access their deposit and other accounts, or impacts the financial sector stability.

This may include a major computer system failure, cyber interruption like a distributed denial of service (DDoS) ransomware attack, or another type of significant operational interruption.

Industry Guides to Cybersecurity Notification Obligations

Read Guides

CSIN Third-Party Reporting Requirements

Under the rule, bank service providers must notify one designated contact at the affected customer bank if they experience a computer security incident that significantly affects or is likely to affect the covered services provided for four or more hours. Without a designated point of contact, the bank must notify the bank’s chief executive officer and chief information officer or two individuals with comparable responsibilities.

The FDIC is clear that no matter where a cyber attack originates, each organization is responsible for conducting a risk assessment and communicating with affected parties if the event rises to the level of notification.

According to security and compliance experts, detailing these plans before an attack can make all the difference in meeting compliance with regulatory reporting obligations such as CSIN. 

Cybersecurity Board Reporting Obligations

Reporting requirements for cybersecurity events are multiplying across industries. From the EU’s GDPR to the recent SEC cybersecurity risk management rule, regulators want organizations to communicate potential risks quickly and clearly. As the number of regulations increases, so does the audience for required reporting, current regulations mandate notifications to federal regulators, business partners, and boards of directors.

According to Chris Hetner, Senior Cyber Risk Advisor to the National Association of Corporate Directors (NACD), “Cyber risk management is a practice that requires the entirety of a company to ensure business resilience with an inclusive message of collaboration that encompasses all enterprise risk management leaders.”

“Cyber risk management is a practice that requires the entirety of a company to ensure business resilience with an inclusive message of collaboration that encompasses all enterprise risk management leaders.”

Reporting risk is no small feat. Besides navigating a series of unique and nuanced regulatory requirements, for IT managers and cybersecurity professionals, translating complex technical data into relevant terms for the board can be challenging. Often, synthesizing technical know-how into relevant terms and finding common ground around a goal of risk mitigation can help managers effectively communicate with stakeholders.

While risk mitigation will look different for every business, cyber event reporting is now a board-level issue across industries, and building rapport with stakeholders will be a crucial responsibility for CISOs moving forward. Effective reporting will require connecting cyber events to financial impacts and establishing clear roles and responsibilities within response teams.

Establishing a cyber risk management and incident response process that operationalizes a risk matrix against urgent cyber events will help your organization establish a consistent, documented, and repeatable process for assessing risks, communicating with stakeholders, and building trust with regulators.

Streamline Risk Quantification with Intelligent Automation