On November 23, 2021, the OCC, Federal Reserve Board, and FDIC issued a joint final rule that requires banking organizations and their service providers to report certain computer-security incidents. A computer-security incident becomes reportable under the rule only if it materially threatens the banking organization’s ability to continue to offer banking services or operate or threatens the stability of the U.S. financial system. The rule requires notification of these incidents by banking organizations to their primary federal regulators and by bank service providers to their impacted bank clients.
First, the rule requires banking organizations to report to their primary federal regulator any computer-security incident that rises to the level of a notification incident. The notification must be made as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The notification period runs from the time the banking organization has determined there has been notification incident and not from the time the notification incident actually occurred, which builds in time for the banking organization to assess the situation and make a determination.
For purposes of the rule, a “computer-security incident” is any occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or to information that such a system stores, processes, or transmits. Under this definition, computer-security incidents are not limited to malicious attacks or intentional exploitation of computer systems, networks or data, but could also include things like system failures. A computer-security incident becomes a “notification incident” if it materially disrupts or degrades (or is reasonably likely to materially disrupt or degrade) (1) the banking organization’s ability to carry out banking operations or deliver banking products and services, (2) business lines that upon failure would result in material loss of revenue, profits, or franchise value of the banking organization, or (3) operations that would threaten the financial stability of the United States.
Second, the rule requires bank service providers to notify the affected banks that they serve as soon as possible if the service provider is experiencing a computer-security incident that has caused (or is likely to cause) a material service disruption or degradation of services to the bank for four or more hours. Notices are required to be given to the bank’s designated point of contact, or if the bank has not designated a point of contact, then to the bank’s CEO and CIO. For purposes of the rule, a bank service provider means any person that performs covered services subject to the Bank Service Company Act (12 U.S.C.A. §§ 1861 - 1867). These covered services include check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices and similar items, and other clerical, bookkeeping, accounting, statistical, or similar functions. This notice obligation for bank service providers is intended to allow banking organizations to assess whether the computer-security incident at the service provider has triggered (or is reasonably likely to trigger) a notification incident at the bank.
The new rule takes effect April 1, 2022, and banking organizations must be in compliance by May 1, 2022. While most banks likely already have compliance processes in place to notify their primary regulator promptly of any incident that would constitute something as serious as a “notification incident” under the rule, banks should confirm they have the appropriate controls and processes in place to meet the 36 hour time window. Service providers to banks should determine whether the bank is treating their services as services covered by the Bank Service Company Act and whether the bank has reported the service relationship to its regulator under the Bank Service Company Act (12 U.S.C.A. § 1867(c)(2)). If so, then the service provider should ensure that it has the appropriate controls and processes in place to provide prompt notice to the banking organization of security incidents covered by the rule so as to meet the “as soon as possible” standard set by the rule.