BankInfoSecurity.com reported “that financial institutions “will have limited information on an event” within 24 hours. They add that the details of cyber intrusions involving nation-states or advanced persistent threat groups cannot be adequately gathered within 24 hours, given the need for assistance from federal agencies.” The August 17, 2021 report entitled “Banking Groups Object to Breach Notification Bill Provisions” included these comments:
The American Bankers Association, Bank Policy Institute and Consumer Bankers Association sent a letter to the U.S. Senate Intelligence Committee recommending that the Cyber Incident Notification Act of 2021 be amended to include a 72-hour notification requirement, rather than 24 hours.
The initial stages of an incident response require ‘all hands on deck’ to focus immediately on understanding the incident and implementing mitigation and response measures,…
Filing notification reports within 24 hours of incident discovery would result in “premature” and “erroneous” reports, they contend.
How much do we really know in 72 hours?