On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) approved a new final rule regarding reporting of cyber incidents for U.S. banks and service providers.
Under the new rule, a banking organization must notify its primary federal regulator of “any significant computer security incident” as soon as possible as no later than 36 hours after the organization determines that a cyber incident has occurred. Notification is required for incidents “that have materially affected – or are reasonably likely to materially affect – the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.”
A “computer-security incident” is defined as an occurrence that: (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
A “notification incident” is defined as a “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair –
- The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Any business line of a banking organization, including associated operations, series, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- Those operations of a banking organization, including associated services, functions, and support, as applicable, the failure or discontinuance of which would post a threat to the financial stability of the United States.
One commenter requested clarification as to whether a “near miss” incident would constitute a computer-security incident under the rule. In response, the rule states, in a footnote:
A “near-miss” incident would constitute a computer-security incident only to the extent that such a “near-miss” results in actual harm to an information system or the information contained within it. Another commenter stated that the definition of “computer-security incident” should be limited to information systems that can cause a “notification incident.” For clarification, the definition of “computer-security incident” includes all occurrences that result in actual harm to an information system or the information contained within it. However, only those computer-security incidents that fall within the definition of “notification incident” are required to be reported. Two commenters advocated for excluding computer-security incidents due to non-security and nonmalicious causes. For clarity, the definition includes incidents from whatever cause.
The final rule also requires that a bank service provider notify its affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that “has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.” The bank service provider would be required to notify at least one bank-designated point of contact at each affected banking organization customer. If the customer has not previously provided a point of contact, such notification shall be mead to the CEO and CIO of the customer or two individuals of comparable responsibilities “through any reasonable means.”
Compliance is required by May 1, 2022.
To view the final rule, click here.