On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (the Governing Council), and the Office of the Comptroller of the Currency (OCC) (together referred to as “the Agencies”) issued a common final rule for establishing computer security incident notification requirements. For Banking Institutions (BO) and Banking Service Providers (BSP).
During the rule-making process, agencies initially aligned the definition of a computer security incident with the language used by the National Institute of Standards and Technology (NIST). However, the agencies agreed that the definition of NIST was not entirely consistent with the purposes of the rule, and thus the definition of the final rule was narrowed. The final rule defines a “computer security incident” as an event that results in actual damage to the confidentiality, integrity, or availability of an information system, or information that the system processes, stores, or transmits. The new definition narrows the focus to those incidents that are most likely to materially and adversely affect BOs, while maintaining general consistency with the NIST definition.
Regardless of the updated definition and applicability of a cybersecurity incident, this does not mean that every incident will require notification. The final rule changed the definition to include a “reasonably likely” standard, which requires the BO to notify the primary federal regulator when it experiences a computer security incident that is reasonably likely to disrupt or impair the BO or its operations (see fn.5 of the Common Final Rule) . At the same time, the new standard does not require notification of negative consequences that are only possible, or within the limits of imagination.
The agencies have included a list of incidents that are generally considered a “notification incident” under the final rule:
- Massively distributed denial of service attacks that disable access to a client’s account for an extended period of time (for example, more than 4 hours);
- The BSP that BO uses for its core banking platform to run business applications is experiencing extensive system outages and unquantifiable payback time;
- Upgrading or changing a failing system that results in widespread disruption to users and BO staff;
- Non-recoverable system failure that triggers the BO or Disaster Recovery Plan to activate;
- a computer hacking incident that disrupted banking operations for a long period of time;
- Malware on the BO’s network that poses an imminent threat to the BO’s core business lines or critical operations or that requires the BO to disconnect any compromised products or information systems supporting the BO’s core business lines or critical operations from Internet-based network communications; And
- A ransomware malware attack that encrypts your primary banking system or backup data.
These are just some of the examples that require notification under the final rule. However, the agencies have also advised that each incident should be subject to a case-by-case analysis to determine if notification is required.
Each of the above organizations has different definitions of a banking organization. The definition of the OCC includes national banks, federal savings associations, and federal branches and agencies of foreign banks. The board’s definition includes all U.S. bank holding companies and savings and loan holding companies, as well as state-member banks, U.S. operations of foreign banking organizations, edge companies and agreements. The definition of the FDIC includes all non-member banks of the insured state, state-licensed branches of foreign banks, and insured state savings associations.
If the entity falls under the definition of BO, is subject to one of the three federal regulators, and has a “cyber security incident,” the entity must file a notification under the Final Rule
As soon as possible and no later than 36 hours After the entity determines that a computer security incident has occurred. The final rule states that the entity shall notify the appropriate point of contact designated by the agency via email, telephone, or other such methods as the designated agency may specify. Therefore, it is recommended that the entity work with a lawyer to coordinate these efforts, as each agency may have different specific focal points at the regional level.
The 36-hour time limit acts as an early alert to the BO’s primary federal regulator about a notification incident. Given this timing, the Executive Office can expect to provide general information regarding the incident, to the extent that information is available.
The final rule defines a “banking service provider” as a banking services company or any other person that performs covered services. “Covered Services” are services performed by a “person” subject to the Banking Services Corporation Act (12 USC 1861-1867). The final rule does not require BSPs to assess whether an incident rises to the level of a notification incident for a BO customer. That responsibility remains with the banking organizations.
The final rule requires the BSP to notify at least one designated bank contact point in each affected customer banking institution as soon as possible when the BSP determines that it has experienced a computer security incident that has physically disrupted or deteriorated , or was reasonable. It could potentially disrupt or degrade covered services provided to BO for four hours or more. If the BO has not previously provided a particular point of contact, the notification should be submitted to the Chief Executive Officer of the Office and the Chief Information Officer or to two persons with similar responsibilities.
Agencies are aware that some BSPs may have contractual incident reporting requirements that may differ from the final rule. However, the agencies believe that the final rule already complies with these provisions. Therefore, the BSP must review its contracts to ensure that the notification provisions comply with the final rule.
The new final rule reduces the time frame within which BO and BSP must notify regulators. Failure to notify within the expected time frame can result in citations by the organizer. Therefore, it is highly recommended to have a cyber security and data privacy consultant assist with any cyber security incidents as soon as they occur to comply with these notification obligations.
The content of this article is intended to provide a general guide to the topic. It is recommended to take the advice of specialists in such circumstances.