A new blog post from BallardSpahr observed that
The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting regulatory patchwork of varying disclosure and timing obligations. These tightened reporting obligations raise new challenges for financial institutions who must not only ensure that their own programs are aligned with the new requirements, but also be certain to pass along reporting obligations to service providers.
Yet, “[t]he abrupt shift in reporting obligations comes after an extended period of time when most financial institutions faced consistent reporting obligations.” The posting observes that
Managing and meeting these new deadlines—and keeping track of the different content and submission requirements associated with each disclosure—can be challenging. Additionally, these requirements may trickle down even to companies not directly regulated by the above agencies, as many financial institutions may consider new default rules, such as requiring 24-36 hour reporting across the board for their service providers. As the cybersecurity regulatory landscape continues to evolve, companies should review their third-party service provider arrangements and incident response plans and stay on top of legislative and regulatory developments to ensure they are in a good position to meet increased expectations and accelerated reporting timelines.