The rule, which will take effect in May of 2022, directs entities regulated by the Federal Deposit Insurance Corporation, the Federal Reserve System, and the Office of the Comptroller of the Currency to report any security incidents triggering a notification obligation to the bank’s customers that their data may have been compromised. Previously, there was no specified time frame for financial institutions to give notice to their regulators of such incidents. Additionally, service providers catering to the financial services industry will now be required to notify each of their banking customers as soon as practicable of any cybersecurity incident which has caused, or is reasonably likely to cause, a service disruption lasting more than four hours.
In a related development, the Securities Industry and Financial Markets Association announced it successfully completed an industry-wide cybersecurity drill designed to demonstrate Wall Street’s preparedness to respond to ransomware attacks. These initiatives underscore recent efforts by government and industry leaders to address the growing threat cyber risks pose to the stability of financial markets.
While policyholder advocates have lauded this decision, some legal scholars have expressed concern that by expanding the scope of loss under property policies, insurers could end up covering cyber matters under policies not originally designed for that purpose, a phenomenon known as “silent cyber.” Over the past two years, cases involving claims for “loss of use” of property as a result of COVID-19 restrictions have largely been decided in the favor of insurers, since insureds were not able to show tangible damage to their property. However, in a split decision, the appellate panel here held that a temporary loss of access to a computer system due to a cyberattack could constitute property damage.