从5月1日开始,美国的银行将在美国开设分行.S. will be required to notify their primary federal regulator of a 网络安全 incident within 36 hours, a tight turnaround time that could be challenging for some institutions, 大卫·墨菲说, 施耐德唐斯会计师事务所的网络安全经理.
"It's definitely going to be a challenge, especially for small banks,墨菲说 of the 新规则,这也适用于银行bet9平台游戏提供商.
The deadline to comply with the rule comes as the Biden administration has 警告你.S. 企业 俄罗斯网络攻击的风险越来越大.
President Biden has also encouraged 企业 to comply with a new law, included in the $1.他上个月签署了5万亿美元的支出法案, that requires companies to notify the Cybersecurity 和 Infrastructure Security Agency within 72 hours of learning of a hack.
联邦存款保险公司(Federal Deposit Insurance Corp .,简称fdic)发布的这项联合裁决., the Office of the Comptroller of the Currency 和 the Federal Reserve in November, requires financial institutions to adhere to a shorter timeline.
"The 36 hours is actually probably one of the tightest rules out there, 就时间而言,墨菲说. "In addition to that, you have to consider what designates a reportable incident."
按照规定, banks are required to notify their primary regulator as soon as possible 和 no later than 36 hours after the firm determines that "a computer-security incident that rises to the level of a notification incident has occurred."
在裁决中, the agencies define computer-security incident as "an occurrence that results in actual harm to the confidentiality, 完整性, or availability of an information system or the information that the system processes, 商店, 或传输."
Murphy said the agency's language regarding what qualifies as a "notification incident" is fairly broad.
"I think they intentionally left it in that gray area,墨菲说. "They just want you to contact them even if you think that there's a gray area 和 then they'll let you know. 总的来说,这是一件好事. 我认为这会让人们意识到问题有多严重, because I think the industry as a whole doesn't really fully underst和."
Murphy said banks will likely need to have internal discussions with their legal departments around what constitutes a reportable incident.
"That's probably something that will be litigated later on,他说.
不断升级的威胁
"Banks have always had some level of regulation on them as it relates to 网络安全. But in this case, I think what regulators are trying to do is nail down, ‘How big is this problem?’”墨菲在谈到出台这一规定的动机时说.
根据… 云计算公司VMware的2022年报告, 63% of financial institutions experienced an increase in cyber attacks in the past year, 比去年的报告增长了17%.
U.S. banks have been targets for hackers amid escalating international conflicts in the past.
In 2012, 伊朗黑客,回应U.S. sanctions against the country's nuclear weapons program, attacked Capital One 和 BB&造成两家银行大范围停电.
随着下个月事件报告截止日期的临近, Murphy said banks need to have the phone numbers 和 email addresses of the appropriate agency official readily available in the event of a security incident.
“这些信息应该已经准备好了. Thirty-six hours is a short timeline, 和 there might be some debate,墨菲说. "That's probably going to be the hardest part, debating what meets that threshold."
As warnings 和 guidance around cyber risks in the banking sector increase, Murphy said it's a good time for a bank's IT staff to highlight the importance of 网络安全 investments.
"It definitely gives the IT staff an opportunity to seek more funding 和 let the board know that this is an important thing to do 和 take care of 网络安全 in general,他说.