Reporting, notifying and disclosing a data breach or cybersecurity incident.
Insufficient fulfilment of data breach notification obligations and accelerated breach notification obligations for many trades (e.g. the banking organisations and bank service providers based on the new reporting requirements from the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) on IT, Data, Cyber and Computer-Security breach Incidents focuses on security events that disrupt the regular operations and not just security breach events significantly when it impacts sensitive data subject or customer information
The Proposed Rule would require a banking and financial organisation to notify the primary regulator no later than 36 hours after determining an incident’s material impact. It would require a “bank service provider” to immediately inform a banking organisation to detect an incident and the material impact. When implemented, the rule requires financial organisations to update the incident response plans and the vendor risk management incident program to address the new reporting requirements.
Since data breach reporting is valid for all organisation, let us review some of the general areas of updates and responses for all organisations. Therefore let us examine some of the IT, Data Cyber and computer-security incidents;
- results in actual or potential harm to the confidentiality, integrity, or availability (CIA triad) based on an information systems framework.
- CIA triad serves as a tool for securing information systems and networks and related technology assets and computer systems and networks.
- Therefore an update of procedures, processes, and mechanisms for addressing information security issues to satisfy the CIA triad goals that could materially disrupt, degrade, or impair system processes, storage (databases) or transmitting data is required.
- constitutes a violation or imminent threat of a breach of security policies, security procedures, or acceptable use policies.
A significant breach of reporting burden on organisations. All organisations must carry out scenario planning exercises for breach reporting, notification and disclosures. Therefore all organisations can address the following scenarios for updates:
- large-scale distributed denial of service attacks that disrupt systems, account access and related for an extended period (e.g., more than x number of hours determined based on the type of trade and sensitivity of the information held)
- widespread system outages with undeterminable recovery times at a service provider used by a trade organisation for its core transaction platform and applications.
- failed system upgrades or changes that result in widespread user outages for customers, data subjects and employees
- unrecoverable system failures that result in the activation of an organisation’s business continuity or disaster recovery plan
- computer hacking incidents that disable operations for an extended period
- malware circulating on an organisation’s network that requires the organisation to disengage all Internet-based network connections
- ransom malware attacks that encrypt a core IT, Data system or backup data.
The scenarios will provide valuable insight regarding IT and cyber-related events and information-security compromises. Besides, there will be information on updating existing requirements that do not provide the organisation with sufficiently timely information about every notification breach incident that needs to be identified, addressed, and captured.
At our GDPR, Data Privacy and IT and Cybersecurity certification seminars, we go through how to conduct in house scenario planning exercises. https://www.e-compliance.academy/online-certification-classroom-training/
Contact us for a customised online Scenario Planning workshop for the above seven cyber situations. firstname.lastname@example.org