The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.
The Rule applies to all national banks, insured state member and nonmember banks, federal and insured state savings associations, US bank holding companies and savings and loan holding companies, state and federal branches and agencies of foreign banks, and the US operations of foreign banking organizations. Bank service providers covered by the Rule include any bank service company or other person that provides services subject to the Bank Service Company Act. The Rule is scheduled to take effect on April 1, 2022, with full compliance required by May 1, 2022.
Under the Rule, any computer-security incident that rises to the level of a “notification incident” triggers the notification requirement applicable to banking organizations.
The Rule defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
The Rule defines a “notification incident” as “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s —
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
Computer-security incidents may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions.
The stated purpose of the Rule’s 36-hour notification requirement is to “help promote early awareness of emerging threats to banking organizations and the broader financial system.” Thus, the Rule does not set forth specific content or format requirements for the required notification, and indeed suggests that any form of written or oral communication to the appropriate federal agency will be sufficient, subject to the Agencies’ authority to prescribe particular notification methods in the future.
Computer-security incident notifications and any information related to the incident will be subject to the Agencies’ general confidentiality regulations.
The Rule separately requires bank service providers to notify a designated point of contact at each affected banking organization customer as soon as possible in the event of a computer-security incident that has or is reasonably likely to materially affect customers for four or more hours. This notification will allow the banking organization to assess whether the incident will trigger the banking organization’s own notification requirement to the appropriate federal Agency. While banking organizations’ contractual arrangements with service providers generally impose incident notification requirements, the Agencies have determined “that this issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability.”