May 11, 2022

The New Breach-Reporting Rules—Is 36 Hours Enough?

Late last year, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board, and the Office of the Comptroller of the Currency (OCC) issued a joint final rule to establish computer-security incident notification requirements for banking organizations and their bank-service providers. According to this rule, FDIC-supervised financial institutions are required to notify the regulatory authority within 36 hours of a verified computer-security incident* that rises to the level of a notification incident.** 

According to IBM’s Cost of a Data Breach Report 2021, it takes an average of 287 days to identify and contain a data breach. Given the complexity of IT and security environments in financial institutions, the real question should be: is 36 hours truly enough? 

Think Like a Hacker

Can financial institutions take action to reduce their mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to computer-security incidents before they reach the level of a notification incident?

According to SafeBreach’s CISO Avishai “Avi” Avivi, this is where new technologies that leverage automation, intelligence, and scalability come into play. They can enable security teams in charge of security operations and incident response to quickly detect and isolate potential incidents and respond appropriately, regardless of the size and complexity of their environment. 

But these new technologies often add an additional layer of complexity to an already complicated security environment, leaving security teams to figure out how to:

  • Validate these new and complex security controls
  • Confirm security controls are optimally configured to withstand the evolving threat landscape
  • Check that minor configuration changes to one security control does not lead to a cascade of misconfigurations in their environment that can potentially allow an attacker to breach their network
  • Verify their cloud applications and cloud infrastructure do not accidentally open ways to breach critical assets deployed on-prem
  • Ensure their security operations center (SOC) can respond correctly to attacks hitting their environment

According to Avi, the solution is simple: think like a hacker. By understanding how bad actors may breach your organization, you’re able to gain greater visibility into security control performance to better understand and manage your risk. This is where breach and attack simulation (BAS) tools provide security practitioners and executives with a holistic point of view that ties into the organizational business risk. 

By continuously running attack scenarios against security controls, BAS tools enable teams to assess the efficacy of their entire security ecosystem, including the people, processes, and technologies in place. In addition, teams can validate specific controls, including email, endpoint, network, SIEM, web, data loss prevention, and more. BAS also offers a significant level of flexibility, allowing security teams to focus on specific attacks and threat groups that are a high priority for their organization in order to:

  • Conduct authoritative, fact-based security control validations
  • Conduct realistic attack scenarios for optimized incident response processes
  • Hold security vendors accountable

BAS + SOC = Increased Efficiency/Reduced Risk

BAS tools allow SOC teams to address their critical validation objectives, while mitigating the limitations of manual, labor-intensive activities like penetration testing or red teaming. This provides a more efficient, programmatic way to replicate an attacker’s mindset to continuously evaluate existing organizational security controls against advanced attacks in order to:  

  • Reduce Risk: Identify vulnerabilities, gaps, and errors before attackers can exploit them. Perform continuous validation to ensure that new risks—whether due to new attack techniques, new vulnerabilities within the enterprise environment, or new control configurations—are quickly identified and addressed. Gain objective insights needed to identify the most critical threats and take steps to address them.
  • Enhance Operational & Personnel Efficiency: Streamline administration and operations by knowledgeably identifying ineffective tools and eliminating them. Validate and optimize incident response plans by exposing security personnel to real-world attack flows. 
  • Maximize Return on Existing Investments: Objectively assess deployed security controls and determine which are working and which are not. Make the most of existing controls and ensure these systems are optimized to deliver the highest levels of security before investing in new technologies or new controls.
  • Intelligently Evaluate New Controls: Accurately test prospective solutions to determine which will work best in your environment.

While 36 hours may seem unrealistic when it comes to identifying and reporting potentially damaging breaches, financial institutions can leverage BAS technology to proactively ensure they are prepared to face the constantly evolving threat landscape. By leveraging BAS to continuously validate security controls against the latest threats at scale, these organizations can ensure a hardened security posture and optimize their threat detection and response processes to safely and quickly detect and manage a computer-security incident before it escalates. 


*Computer-security incident: An occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

**Notification incident: A computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. For example, a notification incident may include a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.

Get the latest
research and news