On November 18, 2021, the US federal banking regulators Office of the Comptroller of the Currency, Federal Reserve Board and Federal Deposit Insurance Corporation jointly announced a final rule that will require banking organizations (which includes the U.S. operations of foreign banking organizations) to notify their regulators as soon as possible but no later than 36 hours of identifying a significant “computer-security incident” that results in “actual harm” and rises to the level of a “notification incident” as defined in the final rule. The proposed rule would also impose a separate notification requirement on companies (such as data processing companies) that provide certain services to those banks. Those service providers would be required to notify “each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.” The final rule reflects several significant changes to the proposal that had been issued for comment in January 2021, including a narrowing of the definition of “computer security incident” from merely “significant” incidents and a notification window of 36 hours instead of “immediate.”
The final regulations go into effect on April 1, 2022, with a compliance date of May 1, 2022.
Applicability to Banking Organizations
The final rule defines a “computer security incident” to be:
an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
Note that this final definition is NOT limited to personal information and is NOT limited to cyberattacks. The final rule extends well beyond incidents relating to attacks resulting in personal data breaches. However, not all “computer security incidents” would require notification to bank regulators—only those that rise to the level of a “notification incident,” which means a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The regulators clarified the standard for the second prong above as follows: “a banking organization should evaluate whether the loss is material to the organization as a whole.”
A covered bank will be required to provide notice via email, telephone or “other similar method” to its federal regulator as soon as possible but no later than 36 hours “after the banking organization determines that a notification incident has occurred.” Importantly, the agencies do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident. The agencies anticipate that it would take a reasonable amount of time to determine that that a security incident rises to the level of a notification incident, particularly for incidents that occur outside of normal business hours. Only once the banking organization has made such a determination would the 36-hour timeframe begin.
The rule does not require any specific content or format for the notification, nor does it impose any recordkeeping requirements. The regulators explained that the purpose of the notification requirement is to ensure that regulators receive timely notice of incidents while providing banking organizations with flexibility as to the content of the notices. The regulators further noted, however, that banking organizations that provide sector-critical services currently provide same-day notification to their regulators, and the regulators encourage this practice to continue.
Note that the final rule does not apply to non-banking organization subsidiaries of a covered banking organization, unless an incident that occurs at the non-banking organization subsidiary is a notification incident for the parent itself.
The regulators rejected a request that notifications be accorded a blanket exemption from public disclosure under the Freedom of Information Act (FOIA), but the regulators did note that the notifications would be subject to the regulators’ confidentiality rules, which protect confidential, proprietary, examination/supervisory, and sensitive personally identifiable information.
Applicability to Bank Service Providers
The final rule defines a “bank service provider” as “a bank service company or other person that performs covered services” (i.e., services covered by the Bank Service Company Act). However, designated financial market utilities are not bank service providers under the final rule.
A bank service provider must give notice to one designated contact at the bank via email or phone “as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”
In response to comments, the regulators added a clarification the notice requirement “does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer.” But the regulators cautioned that this exception would not apply if the scheduled maintenance, testing or update “exceeds the parameters communicated to the banking organization customer and meets the notification standard set forth in the rule.”
The regulators are aware that the currently-existing bank service provider agreements may have different notification requirements, but stated that the “notification requirement created by this rule is independent of any contractual provisions, and therefore, bank service providers must comply even where their contractual obligations differ from the notification requirement in this rule.”