The new rule proposed by the US Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation expands the current requirements banking organizations and bank service providers have to follow when a security incident rises to the level of a “notification incident”. A security incident refers to any event that violates security policies, procedures, or acceptable use policies, or results in actual or potential harm to the confidentiality, integrity, or availability of an information system.
According to the rule, “this notification requirement is intended to serve as an early alert to a banking organization's primary federal regulator and is not intended to provide an assessment of the incident”.
The new rule is a step in the right direction for cyber risk transparency in the financial services sector. The sector represents both critical infrastructure and is a prime target for hackers. It is also one of the best performing sectors from a cyber governance perspective.
But such disclosure requirements (just like earlier cyber regulation from New York Department of Financial Services) should not be limited to the financial services sector. Such regulation should be applied across all industry sectors. Digital technology is as critical to the functioning of industrial and healthcare companies as it is to banks. Therefore, the regulatory efforts to strengthen transparency around cyber risk should also be broadly applied in order to incentivize a larger cross-section of companies to improve security and lower growing systemic risks.