[co-author: Rebecca Kocsis]
Last month, the Department of the Treasury and the Federal Reserve System issued a joint notice of proposed rulemaking, available here, requiring banking organizations to provide notification no later than 36 hours after a security incident. The rule, proposed by the Office of the Comptroller of the Currency, Treasury (OCC); the Board of Governors of the Federal Reserve System (“Board”); and the Federal Deposit Insurance Corporation (FDIC), would require bank service providers and banking organizations to provide this express notification in the event of a significant data security incident.
The proposed rule requires a banking organization experiencing a notification incident to notify their primary regulator, once the banking organization has determined in good faith that a notification incident has occurred. The notification would be required as soon as possible but no later than 36 hours after the incident that triggered the notification. The proposed rule would apply to multiple banking organizations that are overseen by the OCC, Board and FDIC, including national banks, saving associations and all U.S. bank holding companies and savings and loan holding companies, as well as other entities.
The text of the proposed rulemaking defines a “computer-security incident” with two thresholds. The first threshold is an incident that “results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.” The second threshold “constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” Under the proposed rule, if a banking organization experiences an event that meets either of these thresholds, it would need to provide notice within 36 hours.
The proposed rule also defines a “notification incident” as a computer-security incident that could disrupt or impair a banking organizations’ ability to carry out regular banking operations, result in a material loss of profit or review or pose a threat to the financial stability of the United States. To trigger a notification requirement, a computer-security incident must rise to the level of a notification incident. If the banking organization experiences a computer security incident that does not trigger a notification incident, a notice would not be required. The text of the proposed rule provides a non-exhaustive list of examples of events that would be considered a notification incident, including:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than four hours).
- A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable.
- A failed system upgrade or change that results in widespread user outages for customers and bank employees.
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan.
- A computer hacking incident that disables banking operations for an extended period of time.
- Malware propagating on a banking organization’s network that requires the banking organization to disengage all Internet-based network connections.
- A ransom malware attack that encrypts a core banking system or backup data.
The rule also outlines a requirement for bank service providers to notify at least two individuals at the banking organization to which they provide services immediately after experiencing a computer-security event. The notice trigger for a bank service provider would be a computer-security, rather than notification-incident. From here, the proposed rule would require the banking organization to analyze the computer-security event to determine if it met the qualifications for a notification incident. The proposed rule highlights the importance of communication between the two entities in the event of a computer-security event due to banking originations relying heavily on their service providers. Under the proposed rule, bank service providers required to provide notice are defined by the Bank Service Company Act (BSCA).
Comments on the proposed rule must be submitted within 90 days of the publication of the notice in the Federal Registrar. Comments can be made through the OCC’s Federal eRulemaking Portal, by mail or by hand delivery.
The proposed rule highlights the trend toward more rapid notification requirements as cybersecurity breaches and high-level events become more common. Banking organizations will need to be on alert for how to assess these types of events by ensuring a complete and comprehensive data privacy program.