A Quick Guide to Cyber Risk Reporting for Community Banks

By the very nature of finance, credit unions and community banks hold a considerable amount of personal information. Such a vast amount of data and its sensitivity is a goldmine in the hands of a cybercriminal, making cyber risk reporting for community banks all the more critical.

In 2021, there were a record number of identity theft and fraud cases in Europe, representing a 7% increase over 2020. As cybercrime has been growing steadily since 2017, both European and UK banking legislators require additional reporting for banks to protect consumers.

While additional reporting is beneficial, it poses challenges for community banks. With that in mind, we’re providing an overview of how the European and UK governments define a computer security incident, reviewing the new rules and offering some best practices for cyber risk reporting rules within the banking industry.

What are the new cyber risk reporting rules for community banks in Europe?

In November of 2021, the European Banking Authority (EBA) issued guidelines on incident reporting under the revised Payment Services Directive (PSD2). The guidelines state that payment service providers must notify their competent authority of significant operational and security incidents without undue delay, and no later than 72 hours after having established that an incident has occurred.

The new cyber risk reporting regulations, according to the EBA, mean payment service providers must have a designated point of contact with whom they can communicate via telephone, email or another method indicated by the competent authority. Furthermore, payment service providers must identify, assess, and manage operational and security risks relating to payment services.

In the United Kingdom, community banks are regulated by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA). These regulatory bodies have established rules and guidelines for cyber risk reporting to ensure that community banks are adequately prepared for cyber threats and can respond effectively to any incidents that may occur.

The FCA and PRA require community banks to have in place a cyber risk management framework that includes a comprehensive cyber risk reporting system. This system should enable the bank to identify and assess cyber risks, as well as monitor and report on the effectiveness of controls and incident response plans.

What is defined as a computer security incident?

To better understand cyber risk reporting, it is helpful for community banks to understand how the government defines a computer security incident, as it clarifies exactly what banks need to communicate.

The following list details the parameters of a computer security incident:

• An incident that results in potential or actual harm pertaining to the confidentiality, availability or integrity of an information system or data that the system stores, transmits or processes; or an incident that is an imminent threat or violation of security policies, acceptable use policies, or security procedures.
• A computer-security incident that the bank believes could materially degrade, disrupt or impair the bank’s ability to carry out banking activities, operations, processes; or deliver banking processes or products and services to the bulk of its customers during ordinary banking operations.
• Any of the bank’s business lines including operations, functions, services, or support that would cause a tangible loss of profit, revenue or franchise value; or the failure or discontinuance of functions, services or support that would cause a potential threat to the economic stability of Europe.

Furthermore, the government lists other types of incidents they consider to be necessary for rigorous cyber risk reporting. This list is not exhaustive, meaning community banks and other financial organisations must use their best judgment to decide what is necessary to report.

These additional cyber risk incidents include:

• Denial of service attacks of a large scale that disrupt access to customer accounts for a lengthy period of around four hours or more.
• A core banking platform provided by a bank service provider that the bank uses to operate business operations that has a widespread outage, and there is no designated recovery time.
• A system change or upgrade that fails or causes extensive outages for banking customers and bank employees.
• A system failure that cannot be recovered and causes a bank to resort to its business continuity plan or disaster recovery plan.
• A computer system hacking incident that incapacitates the bank’s operations for a lengthy period of time.
• A malware incident on the bank’s computer network that is considered an imminent threat to the bank’s core business lines or other critical operations that also results in the bank having to disable products or information systems that were compromised during an attack where they support the bank’s core critical operations or lines of business.
• A malware incident that encrypts backup data or a core banking system.

Regarding rules for requirements for reporting on cyber risk for community banks in Europe, the regulations may vary depending on the country and the specific regulations that apply to the bank.

However, some common guidelines for reporting on cyber risk for community banks in Europe include the need to report any significant data breaches, cyber attacks or cyber incidents that impact the bank’s operations, customers or data.

Additionally, the bank must have measures in place to ensure the confidentiality, integrity, and availability of their systems and data. The bank must also conduct regular risk assessments and implement appropriate security measures to mitigate identified risks.

As a company firmly committed to modern governance, we understand the substantial disruption that the challenges of a major crisis can present for governing bodies. To help governance leaders navigate through the uncharted waters and prepare for future crises, we’ve put together a Crisis Management Toolkit with core considerations and guidelines, tips and best practices to implement immediately. Download your copy now!

Cyber risk reporting rules for community banks in the United Kingdom

The following are the key cyber risk reporting rules for community banks in the United Kingdom:

1. Incident Reporting: Community banks must report any significant cyber incidents to the FCA and PRA as soon as possible. The incident report should include details of the incident, the impact on the bank and its customers, and the remedial action taken.
2. Risk Management: Community banks must have a robust risk management framework that identifies and assesses cyber risks, evaluates the effectiveness of controls, and reports on risk exposure to senior management and the board.
3. Board Oversight: The board of directors of community banks must have oversight of the bank’s cyber risk management framework and be fully informed of any significant cyber risks and incidents.
4. Third-party Risk Management: Community banks must have a process in place for assessing and managing third-party cyber risk, including due diligence on third-party service providers and contracts that include cyber risk management provisions.
5. Training and Awareness: Community banks must provide regular training and awareness programs to employees to ensure that they are aware of the cyber risks faced by the bank and how to identify and report potential incidents.
6. Testing and Evaluation: Community banks must regularly test and evaluate the effectiveness of their cyber risk management framework, controls, and incident response plans to ensure that they are fit for purpose.

Best practices for cyber risk reporting for community banks and credit unions

While governments may outline the definition of a cybersecurity incident and the rules for reporting requirements, community banks and credit unions are on their own to establish policies and procedures to comply with the new reporting requirements. To that end, we’ve developed some best practices for cyber risk reporting as a starting point for credit unions and community banks.

If you haven’t done so, designate a single point person responsible for receiving notifications of cybersecurity incidents as stated in your agreement with your core internet platform service provider. Your board should review your agreement every year and update it as necessary.

Review your policies and procedures and update them to comply with the new regulatory requirements. Be sure they match the regulations for what constitutes a notification incident and update the process for contacting the regulatory authorities. Designate someone to check regularly to ensure they have the most recent contact in case of a turnover at a regulatory agency, which often happens.

Run a tabletop exercise yearly as part of your business continuity plan process. Walk through how your bank will communicate incidents to the regulatory authorities so you can be sure your bank complies with the new rule.

Moving forward with cyber risk reporting for community banks

As credit unions lack the level of capital and staffing compared to larger banks, the reporting timeframe can prove to be challenging. The new cyber risk reporting requirements are in addition to community banks’ other risk management practices.

Community banks and credit unions must submit regular reports and create new cyber risk reports while dealing with the cyber security incident itself is bound to tax IT staff and other resources. As they generally use a service provider for their core platforms, bank executives will also have to discuss with their providers to ensure all parties abide by the new cyber risk reporting rules.

In Europe, there are various regulatory requirements for reporting on cyber risk for community banks and credit unions. The European Banking Authority has published guidelines on how banks should report cyber incidents, including the types of incidents to be reported, reporting timelines, and the information that should be included in the reports. The guidelines aim to ensure a consistent approach to cyber incident reporting across the European banking sector.

For UK based credit unions and community banks, the FCA and PRA require them to have a comprehensive cyber risk management framework that includes effective reporting and incident response capabilities. These rules and guidelines are designed to help community banks manage cyber risks and protect their customers and stakeholders from the impact of cyber incidents.

In addition to the regulatory requirements, community banks can also benefit from adopting best practices in cybersecurity. This can include implementing a robust cybersecurity framework, conducting regular risk assessments, and providing cybersecurity training to employees. By taking a proactive approach to cybersecurity, community banks and credit unions can better protect themselves and their customers from cyber threats.