A slew of new rules and proposals is raising the cybersecurity compliance bar for banks and financial services companies.

Financial institutions should be prepared for more compliance work, higher litigation risks and potentially more enforcement actions resulting from new cybersecurity regulations, industry experts said. Unlike many other compliance matters examined by specific regulators, cybersecurity has become a universal concern addressed by a broad range of stakeholders, and the list of regulatory bodies to which financial service companies must report cyber incidents is long and growing.

In one example, the US Department of Homeland Security started collecting comments April 4 for the Cyber Incident Reporting for Critical Infrastructure Act. The proposed regulation will require companies in "critical infrastructure sectors" — including banks, credit unions, credit card companies, broker/dealers and the broader financial services sector — to report cyber incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency under the DHS.

US bank regulators are also considering changing how they assess banks' operational resiliency, and one of the highlights is to strengthen banks' ability to manage cybersecurity risks, acting Comptroller of the Currency Michael Hsu said in a speech in March.

Additionally, under new rules adopted by the US SEC in July 2023, publicly traded companies are now required to report material cyber incidents in a Form 8-K filing within four days and to discuss their approach to managing cybersecurity risks in the annual Form 10-K report.

While the rules have applied to publicly traded companies, the SEC is proposing expanding such disclosure obligations to more entities it supervises, including broker/dealers and investment advisers. When and if those proposals are finalized, compliance work will add up for a large bank with broker/dealer or investment advisory arms, said Justin Herring, a partner at Mayer Brown.

"We're entering into a new phase of cyber regulation," Herring said. "One of the challenges is that a lot of these rules apply to specific kinds of companies. But if you're a large bank or nonbank institution, you probably have subsidiaries with different regulators that will each have their own cyber regulation."

New SEC reporting rules a focus

Bank regulators have already enacted reporting rules about cyberattacks. From May 2022, banks must comply fully with a final rule issued by the Federal Deposit Insurance Corp., the Federal Reserve Board and the Office of the Comptroller of the Currency to report material cyber incidents to their primary bank regulators within 36 hours. The National Credit Union Administration has required all federally insured credit unions to report substantial cyber incidents within 72 hours since September 2023.

While events reported to bank regulators can be kept confidential, the SEC's requirements to report cybersecurity events in Forms 8-K and Forms 10-K will increase the visibility of such incidents that banks may not have had to make public in the past.

Financial services companies are taking a more conservative approach to public disclosures. Although the SEC only requires companies to report material cyber incidents, many have filed Forms 8-K for cyberattacks that they did not believe had a material impact.

SouthState Corp., for instance, filed a Form 8-K on Feb. 9 disclosing a cyber incident three days after it determined the nature of the event. In doing so, the company complied with the four-day reporting window under the SEC rules. Similarly, mortgage company Mr. Cooper Group Inc. disclosed an Oct. 31, 2023, cybersecurity incident in a Form 8-K filing on Nov. 2. Both companies said they did not believe the events would have a material impact.

While every company can make its own determination whether an incident is material, investors could have different perspectives. If there is a substantial likelihood that a reasonable investor would consider the information relevant and make an investment decision based upon it, a company that did not disclose the incident in timely fashion would be at risk of litigation, said Mark Shaffer, a partner at Tannenbaum Helpern Syracuse & Hirschtritt LLP.

"From a public company perspective, where you never want to be is in possession of material information that you haven't shared with the market, because then you're opening yourself up for securities lawsuits," Shaffer said.

More states updating cybersecurity rules

Various state cybersecurity regulations are another source of complexity for financial institutions to navigate, industry lawyers said.

"Where a lot of the conversation is now is, what do you have to disclose? And who do you have to disclose it to and when? And that gets really complicated because there's both federal rules and every state has slightly different laws," Shaffer said.

The New York Department of Financial Services (NYDFS) is leading the way among state regulators to establish and update its cybersecurity law, known as Part 500. The law was first enacted in 2017 and amended twice. The most recent revisions took effect in November 2023.

By April 15, financial institutions under the supervision of NYDFS, including 159 state-chartered banks and 16 credit unions, will be required to file annual compliance certifications that meet the standards of the newly revised law.

"I would expect that over the next year or two, you're going to see other state banking regulators, besides NYDFS, enact cybersecurity regulations," said Herring, who was formerly the executive deputy superintendent of the NYDFS' cybersecurity division.

As regulators have heightened scrutiny of cybersecurity issues, there will likely be more formal and informal enforcement actions.

"There's going to be more enforcement cases, and there will be more cyber incidents too, where compliance problems will surface," Herring said.

Cybersecurity through the lens of 3rd-party management

With the busy pipeline of new rules and more sophisticated cyberattacks, it is more important than ever for financial institutions to have an actionable cybersecurity response plan, experts said.

"I think there's definitely an uptick in incidents," said Erik Weinick, a partner at Otterbourg PC. "There's an uptick in people reporting incidents, not just because of regulations, but because of other obligations that they may have, such as contracts with others or requirements of their insurance carriers."

Since banks work with vendors on many technology matters, third-party risk management has been a key framework through which regulators assess a bank's readiness to handle cybersecurity incidents. Ultimately, it is the bank that will be held responsible for the selection, oversight and management of its counterparties, vendors and service providers, said Chip MacDonald, managing director at MacDonald Partners LLC.

"After anti-money laundering, cybersecurity and data privacy are two of the highest risk elements that the banks can find, so they can't just hand it off to a third party," MacDonald said.

Although cybersecurity reporting rules may have the benefit of helping detect or prevent cyber events, too much reporting and compliance work can distract banks during an emergent incident, said Mary Ann Miller, fraud and cybercrime executive adviser at the digital identity verification company Prove.

"From the practical standpoint, I see that sometimes compliance can be more of a hindrance for the banks to focus on what's really important, and that's responding to the threats and preventing the threats," Miller said.