The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.
The Rule applies to all national banks, insured state member and nonmember banks, federal and insured state savings associations, US bank holding companies and savings and loan holding companies, state and federal branches and agencies of foreign banks, and the US operations of foreign banking organizations. Bank service providers covered by the Rule include any bank service company or other person that provides services subject to the Bank Service Company Act. The Rule is scheduled to take effect on April 1, 2022, with full compliance required by May 1, 2022.
Under the Rule, any computer-security incident that rises to the level of a “notification incident” triggers the notification requirement applicable to banking organizations.
The Rule defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
The Rule defines a “notification incident” as “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s —
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
Computer-security incidents may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions.
The stated purpose of the Rule’s 36-hour notification requirement is to “help promote early awareness of emerging threats to banking organizations and the broader financial system.” Thus, the Rule does not set forth specific content or format requirements for the required notification, and indeed suggests that any form of written or oral communication to the appropriate federal agency will be sufficient, subject to the Agencies’ authority to prescribe particular notification methods in the future.
Computer-security incident notifications and any information related to the incident will be subject to the Agencies’ general confidentiality regulations.
The Rule separately requires bank service providers to notify a designated point of contact at each affected banking organization customer as soon as possible in the event of a computer-security incident that has or is reasonably likely to materially affect customers for four or more hours. This notification will allow the banking organization to assess whether the incident will trigger the banking organization’s own notification requirement to the appropriate federal Agency. While banking organizations’ contractual arrangements with service providers generally impose incident notification requirements, the Agencies have determined “that this issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability.”
Observations
- The Rule as finally adopted is narrower in coverage than the original rule proposal. Among other things, the Rule narrowed the definition of computer-security incident contained in the proposal by focusing on actual, rather than potential, harm and by removing the second prong of the proposed definition relating to violations of internal policies or procedures. Further, the final Rule substituted the phrase “reasonably likely to” in place of “could” in the definition of notification incident, and replaced the “good faith belief” notification standard with a more objective determination standard.
- The eight current systemically important Financial Market Utilities (consisting of the leading financial transaction transfer, clearance, and settlement systems) are excluded from the Rule because they are already subject to incident notification requirements under other federal regulations.
- Although the Bank Secrecy Act and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice already require banking organizations to notify their regulator for certain limited computer-security incidents, the Rule expands on the type of incident that triggers notification and adds a shorter notification deadline.
- Several commenters had suggested that the Agencies use a 72-hour window to provide additional time to assess potential incidents and to align the Rule with other regulatory requirements such as the New York State Department of Financial Services’ cybersecurity event notification requirement, or the European Union’s General Data Protection Regulation. Rather than adopting a similar timeframe, the Agencies decided instead on a 36-hour notification requirement given that the Rule does not require the provision of a detailed notice. In turn, the flexibility allowed in the contents of any required notice may alleviate to some extent the compliance issues associated with the accelerated notification timeline.
- The Rule states that affiliated banking organizations each have separate and independent notification obligations. Subsidiaries of banking organizations that are not themselves banking organizations, however, do not have notification requirements. Thus, if a computer-security incident were to occur at a non-banking organization subsidiary of a banking organization (e.g., certain nonbank subsidiaries of a US bank holding company), the parent banking organization would need to assess whether the incident was a notification incident for it, and if so, the parent would be required to notify its primary federal regulator.