Banking Organizations & Bank Service Providers Subject to New Computer-Security Incident Notification Rule
On November, 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) (collectively, “the agencies”) issued a joint final rule to establish computer-security incident notification requirements for banking organizations (BO) and their bank service providers (BSP). The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. The FDIC will provide supervised institutions direction on its implementation in early 2022.
During the rule-making process, the agencies initially aligned the definition of a computer-security incident with language used by the National Institute of Standards and Technology (NIST). However, the agencies agreed that the NIST definition does not wholly align with the purposes of the rule and have therefore narrowed the final rule’s definition. The final rule defines “computer-security incident” as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. The new definition narrows the focus to those incidents most likely to materially and adversely affect BOs, while still retaining general consistency with the NIST definition.
Regardless of the updated definition of a cyber-security incident and its applicability, it does not mean that every incident will require notification. The final rule has changed the definition to include a “reasonably likely” standard, which would require a BO to notify its primary federal regulator when it has suffered a computer-security incident that has a reasonable likelihood of materially disrupting or degrading the BO or its operations (see fn. 5 of the joint final rule). At the same time, the new standard does not require notification for adverse outcomes that are merely possible, or within imagination.
The agencies have included a list of incidents that generally are considered a “notification incident” under the final rule:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
- A BSP that is used by a BO for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and BO employees;
- An unrecoverable system failure that results in activation of a BO’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware on a BO’s network that poses an imminent threat to the BO’s core business lines or critical operations or that requires the BO to disengage any compromised products or information systems that support the BO’s core business lines or critical operations from Internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.
These are only some examples that would require notification under the final rule. However, the agencies have also advised that each incident should undergo a case-by-case analysis to determine if notification is required.
Each of the above organizations have different definitions for a banking organization. The OCC’s definition includes national banks, federal savings associations, and federal branches and agencies of foreign banks. The Board’s definition includes all U.S. bank holding companies and savings and loan holding companies, as well as state member banks, the U.S. operations of foreign banking organizations, and Edge and agreement corporations. The FDIC’s definition includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations.
If an entity falls under the definition of a BO, is subject to one of the three federal regulators, and has a “cyber-security incident”, the entity must provide notice under the final rule as soon as possible and no later than 36 hours after the entity determines that a computer-security incident has occurred. The final rule provides that the entity would notify the appropriate agency-designated point of contact through email, telephone, or other similar methods that the specific agency may prescribe. Therefore, it is recommended that an entity work with counsel to coordinate such efforts, as each agency may have different designated points of contact regionally.
The 36-hour time limit serves as an early alert to a BO’s primary federal regulator about a notification incident. Given such timing, a BO can expect to provide general information regarding the incident, to the extent that information is available.
Banking Service Providers
The final rule defines “bank service provider” as a bank service company or other person who performs covered services. “Covered services” are services performed by a “person” that are subject to the Bank Service Company Act (12 U.S.C. 1861-1867). The final rule does not require BSPs to assess whether the incident rises to the level of a notification incident for a BO customer. That responsibility remains with the banking organizations.
The final rule requires a BSP to notify at least one bank-designated point of contact at each affected customer banking organization as soon as possible when the BSP determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the BO for four or more hours. If the BO has not previously provided a designated point of contact, the notification must be made to the BO’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.
The agencies recognize that certain BSPs may have contractual incident notification requirements that may differ from the final rule. However, the agencies believe that the final rule already aligns with these provisions. Therefore, a BSP should revisit its contracts to make sure its notification provisions comply with the final rule.
The new final rule decreases the timeframe within which a BO and BSP must notify their regulators. Failure to notify within the expected timeframe can lead to citations by the regulator. Therefore, it is highly recommended to have cybersecurity and data privacy counsel assist in any cyber-security incidents as soon as it occurs to comply with these notification obligations.
For more information on this development, contact the authors of this alert. You can also subscribe to this blog to receive email alerts when new posts go up.