On November 18, 2021, three US agencies – the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC) – issued a joint rule concerning computer-security incident notifications, which will go into effect on April 1, 2022, with a full compliance date of May 1, 2022. The rule establishes computer-security incident notification requirements for banking organizations and their bank service providers. Unlike existing breach notification laws, the rule focuses on incidents that impact the operations of banking organizations.

To what organizations does the rule apply?

The rule applies to “banking organizations,” which for the OCC includes national banks, federal savings associations, and federal branches and agencies of foreign banks. For the FRB, “banking organizations” includes all US bank holding companies and savings and loan holding companies, state member banks, the US operations of foreign banking organizations, and Edge and agreement corporations. For the FDIC, “banking organizations” includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations. Banking organizations are akin to data owners or controllers under current breach notification laws and have the primary obligation to notify regulators of a security incident.

The law also applies to “bank service providers” (BSPs), meaning any “bank service company” or other person who performs “covered services,” which are services performed by a “person” that are subject to the Bank Service Company Act (12 USC 1861–1867), and includes check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.¹ In this context, BSPs take on a role like service providers, data maintainers or processors under existing data breach notification laws. In the event of a reportable computer-security incident, BSPs must notify the banking organizations affected by the incident.

What is the trigger for a notification under the rule?

Obligations of banking organizations

Under the rule, banking organizations must notify their primary regulator (the OCC, FDIC or FRB), as soon as possible and no later than 36 hours after the banking organization determines that a “computer-security incident” occurred that rises to the level of a “notification incident.” Importantly, the 36-hour clock does not begin until the thresholds in each definition are satisfied. As such, banking organizations in many cases may reasonably take the position that time investigating an incident does not count against the 36-hour deadline until the conditions of each definition – which include confirming “actual harm” and a material disruption or degradation of the bank’s operations, as described in more detail below – are met.

The rule defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits” (emphasis added). However, the rule does not define “actual harm.” As compared to other breach notification laws, the “actual harm” standard is a high standard for triggering a notice – it arguably does not include incidents where harm has not been confirmed, even when there is a suspicion of potential harm, or where harm has not been detected but cannot also be ruled out.

Even if the computer-security incident definition is met, the incident is not a reportable “notification incident” unless it has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade the banking organization’s:

• Ability to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business.
• Business lines, including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value.
• Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the US.

Here, unlike traditional breach notification laws that are focused on breaches affecting personal information, the rule focuses on operational impacts of security incidents. Moreover, in addition to the actual harm threshold, a notification is not triggered unless the material disruption or degradation standard is met. Based on this double-trigger approach, affected banks in many cases will be able to reasonably conclude that certain security incidents will not have to be reported to regulators.

In fact, the three US agencies acknowledged that not all computer-security incidents are reportable and provide a non-exhaustive list of incidents that generally are considered a “notification incident” under the final rule:

• Large-scale distributed denial-of-service (DDoS) attacks that disrupt customer account access for an extended period (e.g., more than four hours).
• A BSP used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages, and the recovery time is undeterminable.
• A failed system upgrade or change that results in widespread user outages for customers and banking organization employees.
• An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan.
• A computer hacking incident that disables banking operations for an extended period.
• Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations, or requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections.
• A ransom malware attack that encrypts a core banking system or backup data.

Again, all these examples focus on disruption or degradation of bank operations, and are geared more toward critical infrastructure and service availability concerns rather than consumer privacy.

Obligations of bank service providers

A bank service provider must notify a “bank-designated point of contact” at each banking organization affected by a computer-security incident “as soon as possible” after determining that it has experienced a computer-security incident that “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” Below, we’ve outlined some interesting nuances to the reporting obligations associated with BSPs.

• Triple trigger: BSPs arguably have a higher threshold (i.e.,less likely to trigger notification) for reporting than banks because the rule identifies three triggers – actual harm, a material disruption or degradation, and a four-hour minimum. As such, even if a security incident does cause a material disruption or degradation, it does not need to be reported unless it continues for “four or more hours.” It is unclear how continuity is to be measured in this context.
• Four-hour trigger in addition to other triggers: Some might view the four-hour downtime requirement as establishing a threshold for defining the “materiality” of a BSP’s degradation or disruption of services. However, the language clearly appears to require a material degradation or disruption and that it lasts four or more hours.
• Establishing a bank-designated point of contact: The rule contemplates scenarios where multiple banking customers of a BSP are affected by a single incident. If the BSP has not been provided with a bank-designated point of contact by its banking customers, it must notify each bank’s CEO and CIO (or two other individuals with comparable responsibilities).
• Routine maintenance exception: Notification is not required for disruptions of services due to scheduled maintenance, testing or software updates previously communicated to a banking organization customer. As such, the rule appears to effectively require BSPs to provide notice of any scheduled maintenance, testing or software updates that could materially degrade or disrupt services if the maintenance, testing or updates last four or more hours.

Our take

The rule represents yet another obligation that financial institutions and their vendors need to consider in the event of a security incident. The rule is more geared to ransomware and DDoS attacks that bring down a bank’s systems, but the same incident could also affect consumer data and trigger GLBA reporting guidance, GDPR and foreign breach laws, state financial regulatory reporting requirements and state breach laws. Banks and BSPs should consider updating their incident response plans to take all of these requirements into account.

In the event of a suspected data incident, you can reach members of Cooley’s data incident and breach response team at incident.response@cooley.com or +1 844 476 1248.

Notes

1. “Depository institution” means an insured bank, a savings association, a financial institution subject to examination by the appropriate federal banking agency or the National Credit Union Administration Board, or a financial institution whose accounts or deposits are insured or guaranteed under state law and are eligible to be insured by the FDIC or the National Credit Union Administration Board.

[View source.]