The Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies”) published a new joint final rule on November 18, 2021 (the “Final Rule”)1 establishing new computer security incident notification requirements for banking organizations and their bank service providers. The Final Rule takes effect April 1, 2022, with a compliance date of May 1, 2022.
36 Hours for Banking Organizations to Notify Primary Regulator of a “Notification Incident”
Banking organizations2 must notify their primary regulator, as soon as possible and no later than 36 hours after the banking organization determines that a “notification incident” has occurred.
A “notification incident” is “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
A “computer-security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
Upon determining that a “notification incident” has occurred, the banking organization must provide notification to the appropriate supervisory office or designated point of contact, through email, telephone, or other similar methods that the primary regulator may prescribe. This 36 hour notification timing is shorter than the 72 hours under the New York Department of Financial Services’ cybersecurity regulations for a cybersecurity event,3 72 hours under the European Union’s General Data Protection Regulation for certain personal data breaches,4 and the proposed 72 hours for certain critical infrastructure cyber incidents in the pending FY22 National Defense Authorization Act.5
Notification under the Gramm-Leach-Bliley Act (“GLBA”) and its Security Guidelines does not change under the new Final Rule. GLBA still requires notice “as soon as possible” for incidents involving “sensitive customer information.” Similarly, Bank Secrecy Act (“BSA”) and the Agencies’ suspicious activity report (“SAR”) regulations and guidance do not change under the Final Rule. However, other recent updates, such as FinCEN’s November 8, 20216 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, may require further alignment of internal policies and procedures to support various notification and reporting requirements stemming from the same incident.
Banking Service Providers to Notify Customer ASAP of a “Computer-Security Incident”
Banking service providers7 must notify each affected banking organization customer of a “computer-security incident” “as soon as possible” after determining that a computer-security incident “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”
Notification may be made to an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer. If no point of contact has been designated by the banking organization then such notification shall be made to the CEO and CIO, or two individuals of comparable responsibilities, through any reasonable means. The Final Rule requires bank service providers to make the notifications required by the Final Rule, independent of any contractual provisions and even where the contractual provisions between a bank service provider and a banking organization differ from the notification requirements in the Final Rule. Scheduled maintenance, testing, or software updates previously communicated to a banking organization customer are not subject to this requirement. Whether the bank service provider’s notified computer-security incident amounts to a “notification incident” under the Final Rule is determined by the customer.
Planning for Compliance
The Final Rule takes effect April 1, 2022, with a compliance date of May 1, 2022. Reviews of internal compliance documentation (such as incident response plans, crisis management plans, business continuity and disaster recovery plans, and board escalation and customer notification communication plans relating to the same) may help identify gaps in requirements or capacity to meet the new notification requirements. Additionally, focused tabletop exercises at the management and/or board level may help banking organizations and bank service providers test the effectiveness of policies, procedures and plans in meeting the new timelines set by the Final Rule for the broadening scope of incidents beyond just those involving sensitive customer information. Establishing new contract template language that is harmonized with the Final Rule for use in future agreements may aid overall compliance and reduce litigation risks associated with contract claims. Dentons continues to monitor legislative and regulatory developments related to cybersecurity incident notifications and ransomware.
1 Final Rule, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, (to be codified at 12 C.F.R. pt. 53; 12 C.F.R. pt. 225, 12 C.F.R. pt. 304), announced on Nov. 18, 2021 at https://www.occ.treas.gov/news-issuances/news-releases/2021/nr-ia-2021-119.html; https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20211118a1.pdf; https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf (hereafter, the “Final Rule”).
2 The scope of “banking organizations” under the Final Rule includes: for the OCC, national banks, federal savings associations, and federal branches and agencies of foreign banks; for the Board, all U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and Edge and agreement corporations; and for the FDIC, all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. In recognition of existing rules, “designated financial market utilities” are not covered by the Final Rule, under either the definition of a “banking organization” or as further described in footnote 9, a “bank service provider.”
3 See 23 NYCRR Part 500.
4 See Art. 33 of the GDPR.
5 See Section 1535 of the National Defense Authorization Act for Fiscal Year 2022, H.R.4350, passed by the House Sept. 23, 2021; various amendments have been proposed in the Senate, where the bill remains pending as of the date of this alert. Notably, the proposed legislation also includes a 24 hour notification requirement for payments made in response to a ransomware incident.
6 FinCEN Advisory FIN-2021-A004, “Advisory on Ransomware and the Use of the Financial
System to Facilitate Ransom Payments” (Nov. 8, 2021) at https://www.fincen.gov/sites/default/files/advisory/2021-11-08/FinCEN%20Ransomware%20Advisory_FINAL_508_.pdf.
7 “Bank service providers” include only those service providers that are providing “covered services” (i.e., those that are performed by a person subject to the Bank Service Company Act) to banking organizations.