On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to require banking organizations to provide prompt notice to federal regulators following discovery of ransomware or other disruptive cybersecurity incidents.
Under existing federal law (the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice), banks must notify their primary federal regulator “as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.” Banks must notify individuals if the bank’s investigation determines that misuse of the individuals’ information has occurred or is reasonably possible as a result of the incident. Banks may also have separate obligations under state data breach notification laws.
Under the new rule, banks must be also prepared to provide very prompt notice to regulators following cybersecurity incidents that are disrupting, or are reasonably likely to disrupt, the bank’s ability to serve its customers. This notification must occur even if the bank is not aware of unauthorized access to any sensitive customer information.
The final rule requires covered banking organizations to notify their federal regulator as soon as possible and no later than 36 hours after the banking organization determines that a “computer-security incident” has occurred and rises to the level of a “notification incident.” The notification may be done through email, telephone, or other prescribed communication methods established by each regulator.
The final rule includes the following definitions:
The rule defines a “computer-security incident” as an occurrence that “results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
The rule defines a “notification incident” as computer-security incident that “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s
- (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
The rule provides examples of when notification of a computer-security incident would be required, including major computer-system failure, a cyber-related interruption such as a ransomware attack, or any type of significant operational interruption.
The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as possible when the service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the banking organization for four or more hours.
Banking organizations and service providers should begin reviewing their incident response plans and talking with counsel about ways to prepare for this new rule. During the first 36 hours following a ransomware attack or other critical cybersecurity incident, bank leaders need to have a well-defined plan to contain and remediate the security threat, preserve forensic evidence, engage counsel and other experts, and communicate with key stakeholders and regulators.
The final rule will take effect on April 1, 2022 and full compliance will be required by May 1, 2022. Federal regulators are anticipated to provide additional guidance and notification logistics in early 2022.