Banks’ Notification Obligations
Under the newly finalized rule, banking organizations will be required to notify their primary federal regulator of a significant computer-security incident, known as a notification incident, as soon as possible but no later than 36 hours after a bank determines such an incident has occurred. A computer-security incident is one that actually harms the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. Banking organizations must notify their primary federal regulator when such an incident has materially impacted, or is reasonably likely to materially impact, their operations, their ability to deliver products and services, or one or more of their business lines in a manner that could result in a material fiscal impact. Banking organizations must also provide this notification when an incident could pose a threat to the stability of the financial sector.
Banking organizations must provide the notice to the appropriate agency supervisory office, or a designated point of contact, through email, telephone, or other methods the agencies may prescribe. The preamble to the final rule clarifies the agencies expect banking organizations to share general information about what they know about the incident, but that there is no specific form or template for the notification and no specific information is required in the notification other than that an incident has occurred.
In promulgating this rule, the federal regulators highlighted concerns about increasingly frequent, sophisticated, and severe cyberattacks on the financial services industry. However, the regulators also highlighted that notification incidents can also arise from non-malicious failure of hardware and software, personnel errors, and other causes that can disrupt or degrade banking service offerings. The regulators included a non-exhaustive list of incidents that are generally considered notification incidents that includes both malicious and non-malicious computer-security incidents. Examples of incidents that may be non-malicious but nevertheless require notification to a regulator include failed system upgrades that result in widespread outages and unrecoverable system failures that result in activation of a banking organization’s business continuity or disaster recovery plan.
This new reporting requirement will apply to banking organizations regulated by the OCC, Federal Reserve, and FDIC, including national banks, federal savings associations, and federal branches and agencies of foreign banks supervised by the OCC; U.S. bank holding companies and savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge and agreement corporations supervised by the Federal Reserve; and insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations supervised by the FDIC. Designated financial market utilities are exempt from the rule. The rule also does not apply generally to fintechs or other non-bank financial institutions, although as discussed in more detail below, bank service providers will be subject to a separate requirement to notify banking organizations of certain incidents.
Some of these banking organizations are chartered by or otherwise regulated by the New York Department of Financial Services (NYDFS) and have already been subject to a requirement that they provide notice to NYDFS within 72 hours of a determination that a covered cybersecurity event has occurred. The new federal rule will, of course, significantly reduce the time in which such banking organizations must first report incidents to a regulator. However, the new federal rule is narrower in some ways than the existing NYDFS rule. For example, the NYDFS rule covers both successful and certain unsuccessful cyberattacks, while the new federal rule covers only incidents that actually harm banks’ information or systems.
Bank Service Providers’ Notice Obligations
Bank service providers will also be subject to new reporting requirements when the rule becomes effective. The rule applies to service providers that are providing services subject to the Bank Service Company Act, 12 U.S.C. § 1861 et seq. (BSCA). Covered services under the BSCA include check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution, which may include data processing, internet banking, or mobile banking services.
Banking organizations are already required by the BSCA to notify their regulator of contracts or other similar arrangements with service providers. However, there is no corresponding requirement for a banking organization to notify a service provider that the banking organization has informed its regulator that the service provider is providing services subject to the BSCA. Service providers should therefore consider inquiring of their bank customers whether the banking organization has designated them a service provider under the BSCA as a component of assessing whether they are subject to this new rule.
Covered service providers will be required to notify their bank customers as soon as possible after determining they have experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. Service providers must report such an incident to the bank customers’ designated point of contact or, if no contact has been so designated, to the chief executive officer or chief information officer.
This standard is distinct, and broader, than the standard for when a banking organization must report an incident to its primary regulator. It will remain the responsibility of a banking organization to determine when an incident reported to it by a service provider must also be reported to the banking organization’s primary federal regulator.
In the preamble to the final rule, the agencies noted that the notification requirement in the new rule is independent of any contractual provisions. Bank service providers must therefore comply with this new requirement even when their contracts specify different notification standards than those created in the new rule.
Banking organizations and covered banking service providers will soon be required to comply with these new notification requirements and should now be reviewing their threat detection and incident response plans and capabilities to ensure that computer-security incidents are promptly detected and appropriately reported. With these threats becoming increasingly sophisticated and nefarious, having an effective cybersecurity program and corresponding incident response plan in place is critical to remain in compliance with regulatory requirements and to mitigate operational risk.
Banking organizations should also consider formally designating one or more points of contact who will receive service providers’ notifications, potentially through contract terms to ensure the line of reporting is clearly understood and that incident notifications are not missed or misdirected. Banking organizations should also consider establishing or supplementing existing policies and procedures to clearly define steps they will take to assess notifications from service providers, both to evaluate the impact on the banking organizations’ information and systems and to determine whether a notification received from a service provider must be reported to the organization’s primary regulator. Finally, banking organizations should consider consulting their primary regulator to determine the regulator’s preferred method of receiving reports of notification incidents to ensure that organization’s reports are received and acknowledged.