Recent legislation drives 72-hour timeline for notification of data breach and 24-hour notification of ransomware payment.
Last week the U.S. Congress and Senate passed the bi-partisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 which is now awaiting President Biden’s signature. Under the act, federal agencies and businesses, including financial institutions, which are considered part of the U.S.’s critical infrastructure will be required to report cyber-attacks within 72 hours, and ransomware payments within 24 hours, to the Cybersecurity and Infrastructure Security Agency (CISA). Under the act, CISA is given the authority to subpoena organizations that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the Department of Justice. It is important to note that CISA will be given two years after enactment of the law to propose rules and an additional 18 months to enact them. Expect more detail and clarity to come.
Breach Notification Rule
While the new act is a significant in terms of setting notification standards for entities identified as part of U.S. critical infrastructure, the impact on banks may be less significant due to the Federal Banking Regulators 36-hour cybersecurity breach notification requirement that goes into effect on April 1, 2022. Under the rule, banks and bank service providers, are required to notify regulators of an incident that rises to the level of a “notification event” within 36 hours. Link to Breach Notification Requirements. Keep in mind the 36-hour breach notification rule has not been adopted by the NCUA at the time of this blog.
Beyond the differences in notification requirements “72-hours” versus “36-hours” there is also the difference in terminology, “cyber-attack” versus “notification event”. These differences are likely to cause some degree of confusion with banks and bank service providers. The 36-hour notification clock does not start until the bank or bank service provider determines that a notification event has occurred. Under the rule, the agencies stated they anticipate “banks will take a reasonable amount of time” to determine whether a notification event has occurred. Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 critical infrastructure entities are required to notify CISA within 72-hours if they are experiencing a cyber-attack.
Not So Fast On Ransomware Payments
One thing is clear, ransomware payments must be reported within 24-hours. Financial Institutions should keep in mind that on September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments”. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
Preparation and Testing are Key
Regardless of whether you are a bank, credit union, or a financial institution service provider we recommend development and testing of a robust incident response and reporting program. Cyber-attacks whether perpetrated by cyber criminals or nation state actors represent significant threats to the U.S. Financial Sector.
How Can We Help?
CLA continues to provide seamless, integrated services to our clients. Our Financial Institution Cybersecurity Consultants can help you navigate new regulatory rules, develop and test incident response programs, or be your trusted advisory. We are here to know you and help you. Contact Us to learn more.
Want to learn more? Complete the form below and we'll be in touch. If you are unable to see the form below, please complete your submission here.Contact us