The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Regulators) are considering a new rule that would require banks to notify their primary federal regulator within 36 hours of when they believe certain security incidents have occurred.
The Regulators are also proposing a new rule that would require bank service providers to notify at least two individuals at the affected bank immediately after the service provider experiences a computer security incident that could disrupt, degrade, or impair the provision of services for more than four hours.
The Regulators published a notice of proposed rulemaking (NPR) in the Federal Register on January 12, 2021, which allows for public comments for 90 days (until April 12, 2021).
Banks should consider the potential impact on procedures, operations, and vendor relations. If new rules are implemented, banks may need to update numerous documents, policies, and contracts that touch on these issues.
Renewed interest in the cyber health of the financial sector
The impetus behind the NPR is not the Regulators’ desire to start policing banks’ cybersecurity programs, or a desire to add a new regulatory burden on banks and their service providers. Rather, the Regulators want to make the rules governing notification consistent, and they want to gather more information about the types of cybersecurity incidents that could impact the stability of the financial sector.
Regardless, it has been quite some time since the Regulators have addressed cybersecurity rulemaking, so it is indicative of a renewed interest in the cyber health of the financial sector.
According to the Regulators, receiving this type of information about cybersecurity incidents from banks early and often can help the Regulators gather intelligence about emerging threats to individual banks and the financial system at large.
Banks required to notify primary regulators of “notification incidents” within 36 hours
Although the NPR sets a new, somewhat strict 36-hour reporting timeline for banks experiencing a cybersecurity incident, the Regulators are merely putting a finer point on already-existing requirements.
The Regulators already know, through examinations and audits, that most banks already have internal policies for responding to cyber incidents. But much of the existing regulatory scheme governing data breach notification focuses on compromised consumer data – not cybersecurity.
For instance, banks are already required to report known or suspected criminal activity or suspicious transactions per the Bank Secrecy Act, but the Regulators have suggested those reports do not cover the cybersecurity angle that interests them. And, per the Federal Financial Institutions Examination Council’s (FFIEC) existing Interagency Guidance, banking organizations are already required to notify their primary federal regulator “as soon as possible” after the organization becomes aware of an incident involving “unauthorized access to, or use of, sensitive customer information.”
The existing regulations focus on cyber incidents that affect consumer data. The NPR goes a step further and will require banking organizations to report incidents that disrupt operations, even if those incidents do not result in any compromised consumer information.
Definition of computer-security incident and notification incident
The NPR lays out two relevant definitions: “computer security incident” and “notification incident.”
A “computer security incident is “an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
Note that this definition is broad and is not focused on whether consumer data has been compromised. Rather, the focus is whether the organization’s systems have been compromised.
“Notification incident” – which is a narrower subset of “computer security incident” – is defined as “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair:
- The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Like the “computer security incident” definition, this definition focuses more on whether the bank’s ability to carry on its operations is compromised, not whether consumer data has been affected. The NPR explains that banks are only required to report “notification incidents” to their primary federal regulators, not all “computer security incidents.”
When is the 36-hour reporting clock for banks triggered?
Thankfully, the NPR makes clear the 36-hour clock is not triggered until the bank “believes in good faith that a notification incident has occurred.”
This is an important distinction because it can often take much longer than 36 hours to determine whether a cyber incident has indeed occurred and, where one has occurred, determining the scope of the incident can be extremely labor-intensive and time-consuming.
The Regulators specifically wrote in the NPR:
“The agencies do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident. Rather, the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. In this context, the agencies recognize banking organizations may not come to a good faith belief that a notification incident has occurred outside of normal business hours. Only once the banking organization has made such a determination would the requirement to report within 36 hours begin.”
As for the notification itself, the Regulators do not appear interested in a full post-mortem from the bank. Rather, the notification is intended to be an early alert to the regulator and does not need to include any type of assessment of the incident.
The Regulators “expect only that banking organizations share general information about what is known at the time.”
And, importantly, the notification to the Regulators does not require that the bank issue additional notifications if the incident has compromised personally identifiable information. State law already governs those situations.
This is why the 36-hour notification requirement is much shorter than the state data breach notification requirements – this type of notification to the Regulators requires much less detail.
Bank service providers required to notify banks of “computer security incidents” immediately
According to the NPR, bank service providers will be required to notify at least two individuals at each affected bank immediately after experiencing a “computer security incident” that could disrupt, degrade, or impair services provided for four or more hours.
Bank service providers includes all providers of services described by the Bank Service Company Act, such as check and deposit sorting and posting; computation and posting of interest and other credits and charges; preparation and mailing of checks, statements, notices, and similar items; or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution, as well as components that underlie these activities.
This portion of the NPR is not a significant departure from the existing ecosystem of contracts between banks and their service providers. Typically, those agreements already require service providers to notify their customers as soon as possible after a material incident occurs. Under the NPR, however, the bank would now have the burden of determining whether the service provider’s incident qualifies as a “notification incident” and, if so, it must notify its primary regulator.
On March 23, join Adams and Reese’s Privacy, Cybersecurity and Data Management team for a webinar as we discuss the proposed rule, changes made to some payment-related rules that require financial institutions and their customers to encrypt certain files/information, and what else we can expect for 2021.