Why Tabletop Exercises Are Critical to Your Business Security Strategy
Creating and implementing a comprehensive risk management strategy is a critical piece to managing and mitigating cybersecurity threats and breaches...
24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management
CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR®/RMF Pro)
ATO/RMF Support
If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.
Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.
At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.
3 min read
Stephen Gutleber : Apr 10, 2023 12:00:00 AM
April 1, 2023, marks one year since the effective date of the final rule issued by the OCC, Board of Governors of the Federal Reserve System, and FDIC, requiring a banking organization to:
While not the focus of this blog post, the final rule also requires bank service providers to notify affected customers as soon as possible if a “computer-security incident has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”
While notification requirements previously existed, the final rule was issued to set the 36-hour requirement in recognition that it is important that a “banking organization’s primary federal regulator be notified as soon as possible of a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.”
The final rule encourages timely notification to allow agencies to:
Have early awareness of emerging threats to banking organizations and the broader financial system
Better assess the threat a notification incident poses to a banking organization and take appropriate actions to address the threat,
Facilitate and approve requests from banking organizations for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP)
Provide information and guidance to banking organizations
Conduct horizontal analyses to provide targeted guidance and adjust supervisory programs
A “computer-security incident” is an occurrence that actually imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
A “notification incident” is defined as a “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair:
The final rule includes a non-exhaustive list of incidents that are considered “notification incidents” under the final rule:
Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
A computer hacking incident that disables banking operations for an extended period of time;
Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
A ransom malware attack that encrypts a core banking system or backup data.
Computer-security incidents are to be evaluated on a case-by-case basis to determine if notification is needed. If there is doubt as to whether notification is required, the final rule encourages that you contact your regulator.
Hopefully, your banking organization has not experienced a computer-security incident in the last year, but it is imperative to amend your organization’s incident response plan and response procedures to ensure compliance with the final rule.
If you’re not sure, you might need an expert to help identify gaps in your compliance. Ingalls’ expert team of cyber risk management consultants are here to help to evaluate your incident response procedure for compliance with the final rule, consult on any needed changes, and provide customized tabletop testing scenarios to ensure appropriate response should your organization fall victim to a “computer-security incident” requiring notification.
Creating and implementing a comprehensive risk management strategy is a critical piece to managing and mitigating cybersecurity threats and breaches...
Cybersecurity attacks happen every day across every industry, including public and private organizations. Even when controls are in place, a security...
Threats, whether adversarial, accidental, structural, or environmental, pose a risk to all organizations regardless of size and industry. While...