On November 18, the Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC) adopted a rule that will require banking organizations and their bank service providers to give notice of certain computer-security incidents. FDIC Chairman Jelena McWilliams noted that the rule “addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations.” Like many other rules governing the banking system, the federal prudential banking regulators adopted substantively identical versions of the rule.
Why This Matters:
Although financial institutions have long been informally expected to share security threats and incidents with their federal prudential banking regulators, the rule creates a new urgency around incident notifications and express regulatory obligations in support of that expectation. Beginning May 1, 2022, banking organizations and their service providers will have to comply with new notification requirements: A banking organization will need to inform its federal prudential regulator within 36 hours of determining a certain type of security incident occurred, and a banking organization’s service provider will have to inform the banking organization of certain types of incidents as soon as possible.
Requirements for Banking Organizations:
Banking organizations must notify their primary federal regulator of a “notification incident” no later than 36 hours after determining that a notification incident has occurred. Notice can be made by email, phone or similar methods prescribed by the prudential banking regulator for that banking organization. Thirty-six hours is a quick turnaround—half the time allowed by the similar requirement imposed in the New York DFS Cybersecurity Regulation.
For a notification incident to occur, a banking organization must experience “actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits” and the incident must have “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade,” a banking organization’s (i) ability to carry out operations or deliver products and services to a material portion of its customers; (ii) business lines that, if failed, would result in material loss of revenue, profit, or franchise value; or (iii) operations that, if failed or discontinued, would pose a threat to the financial stability of the United States. Notably, there is no requirement that the incident result in actual or potential exposure or acquisition of customer information; those separate incidents remain subject to the existing Interagency Agency Guidelines Establishing Information Security Standards.
Requirements for Service Providers:
Unlike the strict notification time frame for banking organizations, service providers are required to notify the affected banking organization “as soon as possible” once the provider has determined it has experienced a computer-security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” Covered services are those performed by a person subject to the Bank Service Company Act. As adopted, the rule provides service providers with some space to make the determination, requiring notification “as soon as possible,” rather than the proposed “immediately,” which would have been a tough—if not impossible—standard to meet. As the regulators note, “immediate notice may leave no time lapse ‘between when a computer-security incident occurred and when notification has to happen.’”
Notice must be given to a bank-designated point of contact, if previously provided, or to the bank’s chief executive officer and chief information officer (or comparable roles) in cases where the bank has not provided a point of contact. Notification is not required for any scheduled maintenance, testing or software updates that have been previously communicated to the banking organization.
Assuming existing contractual provisions between the banking organization and its third-party service providers adequately address security incident obligations, this flow-down obligation may not have significant practical consequence, except on a banking organization’s separate obligation to ensure its service providers’ ongoing compliance with applicable law.
- Banking organizations have a short window to make notice upon determining a notification incident occurred. Once effective, the rule will impose one of the shortest notification time frames in the United States (36 hours). While this time frame is not triggered until the banking organization determines a notification incident occurred—a change from the initial proposal to start the clock at a “good faith belief”—the short window means that entities will need to have their ducks in a row at the time that the determination is made. For example, entities should establish clear processes and procedures for quickly evaluating the severity of a compromise of the confidentiality, integrity or availability of a computer system or the information in it.
- The rule is intended to address material incidents. The federal prudential banking regulators intentionally narrowed the definition of computer-security incidents and declined to incorporate the National Institute of Standards and Technology (NIST) version. ”Actual harm” to an information system or information contained within it is required in order for an incident to qualify as a computer-security incident. In response to comments, the federal prudential banking regulators removed internal policy or procedure violations as a notification trigger. As the federal prudential banking regulators explain in adopting the rule, “[t]hese changes narrow the focus of the final rule to those incidents most likely to materially and adversely affect banking organizations.” In fact, Chairman McWilliams explicitly acknowledged that the rule seeks to avoid “unnecessarily difficult or time-consuming reporting obligations.”
- Although the final criteria for notifiable incidents are narrower than originally proposed, the requirements are potentially broader than existing state breach notification laws. Notwithstanding the well-intended efforts to limit requirements to the “most significant cyberattacks,” the rule likely requires notice for incidents that would not trigger notification under existing state laws because the rule’s definition of notifiable incidents is based on impacts to systems and not unauthorized access to or acquisition of consumer personal information. For example, the federal prudential banking regulators provide (non-exhaustive) examples of computer-security incidents that would meet the threshold of a “notification incident,” including “large scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours).” Under the rule, security events that organizations once may have addressed through a strategic “systems outage” communication may now evoke a legal obligation to notify federal regulators. Entities subject to the New York DFS Cybersecurity Regulation will need to evaluate security incidents carefully, as in some cases that state regulation may be broader (for example, when faced with unsuccessful attempts) and in other cases the new federal rule may be broader (for example, for incidents that could pose a threat to the financial stability of the United States but are unlikely to materially harm a material part of the entity’s normal operations).
- Addressing security requirements in contracts continues to be critical. In addition to mandating notification requirements for service providers, the rule introduces very specific methods for providing that notice. The implied effect of those requirements is that regulators expect service provider contracts to address security requirements, including notification protocols, to the extent they do not already. The practical effect of the rule means that if the applicable contract fails to incorporate those provisions, service providers may be forced to escalate security events to the highest members of their customer organizations (i.e., the CEO). Such compulsory escalation can create challenges, inefficiencies and unnecessary strain for both service providers and banking organizations, which could be avoided by appropriately addressing security considerations in applicable contracts.