Starting this month, banks that discover certain cyberattacks and other security incidents have just 36 hours to report them to federal regulators. This rapid reporting is a regulation trend that is spilling over to other sectors; Congress recently passed a law requiring critical infrastructure providers to report cyber incidents within 72 hours, and a proposed U.S. Securities and Exchange Commission rule would also require publicly-traded companies to publicly report such incidents to regulators and shareholders within four business days after determining that they could have any material effect on business, or are incidents that the average investor would want to know about.
Although compliance with such measures may be challenging, these regulations are important in that they promote transparency and information-sharing that could prevent future attacks or limit their damages. It could also let the government know whether any significant entities are under attack and to see if this is part of a bigger attack on the country. Both increased transparency and decreased attack severity are especially critical in the financial sector, which relies heavily on public trust and is the foundation of most economic activity. But in order for these regulatory requirements to have maximum effect, banks and financial institutions–as well as regulators– need to make sure they are going about them in a smart way.
