The Federal Deposit Insurance Corporation’s new cyber incident reporting requirements for banks are needed to advance information-sharing and improve industry-wide defensive capabilities. Financial services and institutions are the backbone of the U.S. economy and vital to its stability and, thus, national security. In fact, the financial services industry is one of the sixteen critical infrastructure sectors designated by the Cybersecurity and Infrastructure Security Agency. It is also one of the most targeted sectors by global cyber adversaries. This legislation is crucial because timely notification plays a significant role in restricting an attack’s scale, especially for institutions dependent on threat intelligence for defensive capability. 

Cyber-criminals often conduct attacks as part of broader campaigns, including executing supply chain attacks that affect dozens of unknowing victims. Supply chain attacks are often industry-centric because of reliance on the same or similar software or supplier for business operations. Once a vulnerability is discovered, attackers often accelerate their offensive operations to scoop up as many victims as possible before defenders can put a patch in place or broadly distribute an indicator of compromise (IOC).

When it comes to reporting, there are two main justifications: intelligence-sharing to assist defensive operations and preparedness or information-gathering for further investigation, attribution, and broader analysis. These two approaches can occur in tandem, but the priority and immediacy need to focus on the first: identifying attack attributes and IOCs to slow and disrupt ongoing attacks. These IOCs allow security teams to validate current security posture and when they need to take immediate action. For defense, incident reporting focused on attacker behavior, not attacker attribution, is essential for institutions to understand an attack’s anatomy and act to reduce future impacts.

While the financial services industry is an excellent place to start, this information-sharing should occur across all sectors so that every organization can strengthen its defenses. This need becomes increasingly important as companies defend beyond the breach with internal security protocols to disrupt attacks and maintain business resilience. Now that banks must report timely and detailed notifications, the government must equally commit to a quick timeline to share relevant threat-related intelligence back across the private sector. A collaborative defense between the public and private sectors ultimately depends on information-sharing going both ways.

While there are many benefits to this requirement, reporting these incidents in a timely fashion will increase the burden on security teams and potentially distract teams from ongoing incident response. Augmenting analysts’ capabilities with tools that can connect the dots among disparate security incidents and autogenerate the necessary report will play an essential role in helping banks report incidents within this tight thirty-six-hour deadline.

Marcus Fowler is SVP, Strategic Engagements and Threats​, at Darktrace.

Image: Reuters.