On December 18, 2020, federal financial regulatory agencies jointly announced a proposed rule that would impose new and expanded reporting requirements on supervised banking organizations that experience a “computer-security incident,” requiring notice within 36 hours of any computer-security incident that rises to the level of a “notification incident.” In a significant departure from current reporting requirements for financial institutions that experience a security incident, the proposed rule would broadly require notification of any incident that could impair an organization’s ability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector, regardless of the type or quantity of information affected. The rule would also impose reporting requirements on bank service providers that experience computer-security incidents.
The proposed rule was jointly announced by the Office of the Comptroller of the Currency, Treasury (OCC), the Board of Governors of the Federal Reserve System (“Board”), and the Federal Deposit Insurance Corporation (FDIC). Below we set out key takeaways from the Notice of Proposed Rulemaking (NPR).
Organizations Subject to the New Requirements
The proposed rule would apply to supervised banking organizations and bank service providers, as described in the NPR:
- Banking organizations would include the following organizations, depending on the relevant supervisory regulatory authority:
- For the OCC, “banking organizations” would include national banks, federal savings associations, and federal breaches and agencies.
- For the Board, “banking organizations would include all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; Edge and agreement corporations.
- For the FDIC, “banking organizations” would include all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.
- Bank service providers would include entities that provide services that are subject to the Bank Service Company Act (BSCA), including but not limited to preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.
Proposed Reporting Requirements for “Notification Incidents”
The proposed rule would require banking organizations to notify their primary federal regulator in the event of a “notification incident.”
- A notification incident is a “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair (i) the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or (iii) those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
- The proposed rule defines a “computer-security incident” as an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Banking organizations would be required to notify their primary federal regulator as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.
An Expansion of Current Reporting Requirements
The proposed rule would constitute a notable departure from current federal reporting requirements for financial institutions under the Bank Secrecy Act (BSA) and the Gramm-Leach-Bliley Act (GLBA). The NPR explains that at a high level, under the BSA, banking organizations may be required to report certain cyber events by filing a Suspicious Activity Report (SAR), if the activity may be related to a money-laundering activity. Organizations may also be required to notify federal regulators and individuals of security incidents under the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, which interprets Section 501(b) of the GLBA, but such notice would only be triggered if an organization becomes aware of an incident involving unauthorized access to, or use of, “sensitive customer information.” The NPR notes that while current reporting requirements under the BSA and GLBA “may provide the agencies with notice of certain computer-security incidents,” the requirements are “too narrow in scope to address all relevant computer-security incidents that would be covered by the proposed rule.”
Notably, the proposed rule would require banking organizations to also report “incidents that disrupt operations but do not compromise sensitive customer information.” Examples provided by the NPR include large-scale distributed denial of service attacks that disrupt customer account access and a failed system upgrade that results in widespread user outages. By linking the notice requirement to a materiality threshold, the proposed rule would in some ways follow the model set by the New York Department of Financial Services Cybersecurity Regulation, which requires institutions regulated by the Department to provide notice of any cybersecurity event that has “a reasonable likelihood of materially harming any material part of the normal operation(s)” within 72 hours.
A Tight Reporting Timeline
By imposing a 36-hour notice requirement on supervised banking organizations and bank service providers, the federal financial regulatory agencies note that the proposed rule would provide a critical source of timely threat-related information that “current reporting requirements related to cyber incidents are neither designed nor intended to provide.” Although such a short notice timeline may create a particular challenge for banks facing complex security incidents, especially since any available technical information is likely to be incomplete or unreliable in the first days following an incident, the NPR notes that the agencies “do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident.” Instead, the agencies anticipate that an organization would take a “reasonable amount of time” to determine that a notification incident has occurred, and then notify its primary regulator within 36 hours of making that determination. Banking organizations would only be expected to share general information about what is known at the time, and the notice could be provided though any form of written or oral communication.
Notification Requirements for Bank Service Providers
In addition to banking organizations, the proposed rule would also impose new requirements on bank service providers. Bank service providers would be required to notify “at least two individuals” at the affected bank “immediately after the bank service provider experiences a computer security incident that it believes in good faith could disrupt, degrade, or impair services” for four hours or more. After receiving such notice, if a banking organization determines that a notification incident has occurred, the banking organization would be required to notify its primary federal regulator.
The proposed regulation will be open for comments for 90 days from its publication in the Federal Register.