Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement

BakerHostetler
Contact

BakerHostetler

As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final rule that requires a federally regulated bank to notify its primary federal regulator within 36 hours after determining that a computer-security “notification incident” has occurred. We provide below a summary of the new notice requirement, which will apply to banking organizations and service providers starting in April 2022.

When does this final rule take effect?

The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. Regulators should provide supervised institutions logistics for notification in early 2022.[1]

Which organizations have to comply with this rule?

The rule applies to “banking organizations” and their “service providers,” and requires banking organizations to provide notification “as soon as possible” but, in any event, no later than 36 hours following an organization’s determination that a notification incident has occurred. The scope of banking organizations included under the ambit of each of these regulators varies, but it covers national banks, federal savings associations, and federal branches and agencies of foreign banks (OCC); insured state nonmember banks, insured state-licensed branches of foreign banks and insured state savings associations (FDIC); and U.S. bank holding companies and savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge Act and Agreement corporations (Board).

How does the rule affect banking service providers?

The rule requires banking service providers to notify the banking organizations to which they provide service of computer-security incidents as soon as possible after determining that a computer-security incident “has caused, or is reasonably likely to cause, a material service disruption of degradation for four or more hours.” Service providers are to notify “at least one bank-designated point of contact at each affected banking organization customer” about these incidents. However, if the banking organization has not previously provided a bank-designated point of contact, the notifications can be directed through any reasonable means to the CEO and CIO of the banking organization or to two individuals with comparable responsibilities. The notification requirement does not apply to scheduled maintenance, testing or software updates previously communicated to a banking organization, suggesting that providers should provide notice if the maintenance, testing or software update would take at least four hours.

What are notification incidents under the rule?

Under the rule, notification incidents are computer-security incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, a banking organization’s:

  • ability to carry out banking operations, activities or processes or to deliver banking products and services to a material portion of its customer base in the ordinary course of business;
  • business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or
  • operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the U.S.

Notably, to qualify as a computer-security incident under the rule, an incident must cause actual harm to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits, providing entities a path to avoid notice in cases where an incident only threatens to cause one of these harms.

The rule’s commentary includes examples of incidents that trigger notice (for example, disruption by a denial-of-service attack is material when it lasts more than four hours, and a ransomware attack is material when it encrypts a “core” system or backup data). The materiality trigger is similar to the materiality prong of the notice provision in the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies. The NYDFS requires notice for events “that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”[2] But unlike the NYDFS notice requirement and many other U.S.-style notice laws—which suggest a focus on malicious, adversarial attacks—the new rule explicitly covers accidental system failures that create a material disruption (for example, failed system upgrades or changes that result in widespread user outages). This reflects the banking regulators’ interest in being notified of incidents that may affect a banking organization’s operations, regardless of the incident’s cause.

How does this rule affect incidents involving a compromise of sensitive customer information?

As the rule’s definitions make clear, federal banking regulators are concerned with material disruptions to critical services, such as denial-of-service attacks, which may or may not compromise the confidentiality of customer information. If the same security incident compromises sensitive customer information, banks may have additional obligations under the banking regulators’ existing Interagency Guidance on Response Programs for Security Breaches and state breach notification laws.

What actions should I take next?

Banking organizations should:

  • Look for their regulators’ specific guidance in early 2022 on logistics to report incidents.
  • Review and update existing incident response plans to ensure that notification incidents are properly escalated and addressed.
  • Review and update their agreements with service providers so that these third parties have explicit contractual obligations to comply with the requirements under the rule.

[1] Financial Institution Letter, Computer-Security Incident Notification Final Rule (Nov. 18, 2021), https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html.

[2] 23 CRR-NY 500.17(a)(2).

Written by:

BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.