US bank regulators outline potential cyber-security rule

Federal financial regulatory agencies have outlined a proposal that would require supervised banking organisations to promptly notify their primary federal regulator in the event of a computer security incident.

In particular, alerts would be required for incidents that could result in a banking organisation’s inability to deliver services to a material portion of its customer base, jeopardise the viability of key operations of a banking organisation, or impact the stability of the financial sector.

Underlining what the proposal would provide and what it is intended to achieve, the bodies stated: “The proposed rule is intended to provide the agencies with an early warning of significant computer security incidents and would require notification as soon as possible and no later than 36 hours after a banking organisation determines that an incident has occurred.

“In addition, the proposal would require service providers to notify affected banking organisations immediately when the service provider experiences computer security incidents that materially disrupt, degrade, or impair certain services they provide.”