The frequency and severity of cyberattacks has increased significantly in recent years. In light of this growing threat and concerns regarding the disruptive effects these attacks can have on the business operations of financial institutions, on December 18, 2020, the Federal Banking Agencies proposed a new rule that would alter the current notification obligations of banking organizations and their service providers. The Federal Banking Agencies issued the Proposed Rule in response to two perceived gaps in existing regulations: (i) the lack of notification obligations with respect to cyber incidents that disrupt business operations but do not involve the unauthorized access to or acquisition of sensitive customer information; and (ii) the absence of a requirement to provide "an early alert to the banking organization’s primary federal regulator" regarding such incidents.
Proposed Notification Requirements
The Proposed Rule would establish new cyber incident notification triggers for banking organizations and their service providers, mandating notice of any "computer-security incident" by banking organizations to their primary federal regulator within 36 hours and by third-party service providers to at least two individuals at the affected banking organization customer immediately, if such an incident could disrupt, degrade, or impair the services it provides for 4 hours or more.
Specifically, the Proposed Rule would require a banking organization to notify its primary federal regulator when the organization determines that it was the victim of "any 'computer security incident' that rises to the level of a 'notification incident.'" A "computer security incident" is an incident that results in "actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies." The term is comparable to the current term used by the National Institute of Standards and Technology.
A "notification incident" is defined as a "computer security incident" that an entity "believes in good faith could materially disrupt, degrade, or impair the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States."
The Proposed Rule provides a non-exhaustive illustrative list of events that the Federal Banking Agencies would consider "notification incidents" including: (i) denial-of-service attacks that disrupt customer account access for more than four hours; (ii) widespread system outages experienced by bank service providers with undeterminable recovery times; (iii) hacking incidents that disable banking operations for an extended period of time; and (iv) ransomware attacks that encrypt core banking systems or backup data.
For bank service providers, the Proposed Rule would require notification to affected banking organization customers when the service provider determines that it suffered a computer-security incident "that it believes in good faith could disrupt, degrade, or impair" certain important services provided to banking organizations for four or more hours.
The Proposed Rule also would accelerate the time period within which notification must occur. Banking organizations would be required to notify their primary regulator of a "notification incident" as soon as possible, but no later than 36 hours after the organization believes in good faith that such an incident occurred. Bank service providers would need to notify "at least two individuals at affected banking organization customers immediately after experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the Bank Service Company Act for four or more hours."
The Proposed Rule would cover a broader set of cyber-related and computer-security incidents than required by existing federal regulatory requirements for notice and reporting of cyber- and information-security incidents under the Bank Secrecy Act, the Bank Service Company Act, and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
The Proposed Rule would apply to all types of banking organizations that are subject to regulation by the Agencies, including federally chartered banks and branches and agencies of non-U.S. banks, state-chartered member and nonmember banks, state-licensed branches of non-U.S. banks, U.S. bank holding companies and U.S. operations of foreign banking organizations, and would impose obligations on bank service providers and any companies that provide services under the Bank Service Company Act as well. Banking organizations and their service providers should remain cognizant of state laws and regulatory requirements for notice and reporting of cyber-related and computer-security incidents once new federal requirements are adopted.
Implications of the Proposed Rule
The Proposed Rule would significantly change the current breach notification framework for banking organizations and service providers that become victims of cyberattacks. It would create new triggers for notification beyond potential impact on customer data, requiring banking organizations to quickly undertake the additional assessment of whether cyber incidents rise to the level of a "notification incident" or whether a bank service provider’s computer security incident could disrupt important services, in addition to investigating whether the incident involved sensitive customer information. Significantly, these new reporting requirements target situations in which business operations are disrupted and will add to the substantial burden banking organizations and service providers already face in the early stages of responding to such an incident. The short incident reporting deadlines, and follow-on continuing engagement with regulators or banking organizations could divert attention and resources away from the immediate business need to restore operations and mitigate impacts.
In an attempt to diminish this possible impact, the Federal Banking Agencies note that the proposed notification "is not intended to provide an assessment of the incident" at the time of reporting, and would not impose any particular form of notice on banking organizations or service providers or specify the information that the notice must include.
The Federal Banking Agencies are accepting public comment on the Proposed Rule for 90 days after publication in the Federal Register.