Nearly a year after issuing the notice of proposed rulemaking, the FDIC, OCC, and Federal Reserve have issued a final rule setting new notification requirements for banks and their third-party service providers in the event of a “computer-security incident.” In December 2020, the federal regulators issued a notice of proposed rulemaking suggesting that under the new rule (1) banks will need to report certain cybersecurity incidents to their primary regulator within 36 hours and (2) third-party bank service providers will need to report certain cybersecurity incidents to their banks immediately. The final rule was issued on November 17, 2021, solidifying the agencies’ commitment to the stated goal of ensuring “safety and soundness” in modern-day banking.
Comments and Revisions from the Proposed Rule
Regulators received 35 comments from banks, service providers, and advocacy groups, the majority of which supported the proposal and the need for prompt notice of significant computer security incidents in the banking sector. However, some commenters took issue with definitions provided under the rule and some of the specific notification provisions for banks and service providers. The final rule includes several changes to address the comments and provide additional clarity in the notification process.
Final Rule Requirements
The final rule establishes two primary requirements:
1. Banking Organizations
The final rule requires banking organizations to notify their primary federal regulator of “any computer-security incident that rises to the level of a notification incident” as soon as possible, but no later than 36 hours after the bank determines that the incident has occurred.
Under the final rule, the agencies define a “computer-security incident” as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. In consideration of suggestions from several commenters, this definition includes significant revisions from the proposed rule. Particularly, under the final rule, banks will only be required to consider actual harm, not potential harm as included in the proposed rule. Additionally, the agencies removed a second prong of the proposed definition related to violations of internal policies. This streamlines the process for banks to make the initial determination of when a “computer-security incident” has occurred.
Concerning the definition of “notification incident” the final rule retains most of the proposed language, with a few important modifications. Under the final rule, a “notification incident” is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, a banking organization’s:
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
As noted, this final language is largely consistent with the proposed rule, with some minor changes for clarification purposes.
Considering the above definitions, banking organizations are now required to first determine whether a computer-security incident that rises to a level of a notification incident has occurred. The 36-hour timeframe for notice begins only after the bank makes this determination. The agencies have suggested that although the method by which notice may be made is flexible, email and telephone are the best methods currently available for effective notice.
2. Bank Service Providers
In addition to the notification rules for banking organizations, the final rule also sets forth new requirements for a third-party organization providing covered services to banks. Under the rule, BSPs are required to notify at least one bank-designated point of contact at each affected customer bank as soon as possible when the BSP determines that a computer-security incident has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”
Under the final rule, BSPs are not required to assess whether a notification incident has actually occurred—that is the bank’s job. BSPs are only required to determine whether there has been a computer-security incident, and, after making the determination, to report that incident to a single point of contact at the bank by email or phone as soon as possible. If there is no set point of contact, the BSP must contact the Chief Executive Officer and the Chief Information Officer of the affected bank through reasonable means. Accordingly, to avoid bothering a CEO or CIO with this information, BSPs and their banking customers should designate appropriate points of contact as soon as possible.
Next Steps for Banks and Bank Service Providers
The new rule goes into effect on April 1, 2022, and compliance is expected by May 1 of the same year. This new rule may require banks and BSPs to take several steps to ensure compliance. Specifically, it is recommended that affected organizations take the following actions:
- Banking organizations should review and revise internal notification policies to ensure that policies are compliant with new rules;
- Banks should ensure that they have appropriate practices in place to discover computer-security incidents and determine whether those incidents rise to the level of a notification incident efficiently;
- Banks should ensure that they understand who their primary regulator is and how they can quickly contact that agency in the case that notification is required;
- Banks and BSPs should designate points of contact if notification to the bank is required;
- Banks and BSPs should ensure that any contractual notification provisions are consistent and compliant with the new law.