For many years, the primary concern of victims of cybersecurity events was mitigating the damage fraudsters caused in the attack. More recently, federal agencies are imposing more legal compliance obligations on organizations in the wake of cybersecurity incidents.
For example, this blog reviewed changes to policies from the Office of Foreign Asset Control (“OFAC”) that may affect organizations’ ability to pay ransomware. The new OFAC guidance clarifies organizations’ responsibilities to make sure they do not provide funds to prohibited individuals and entities.
Federal banking regulators are getting in on the act, too. The FDIC, Federal Reserve, and OCC promulgated a new rule requiring banks to notify banking regulators within 36 hours of determining a cybersecurity incident has occurred. This new 36-hour rule means banks will have an additional regulatory obligation to consider during a cybersecurity event.
The comments to the rule state that “the [federal banking] agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident.” The comments go on to state “only once the banking organization has made such a determination would the 36-hour timeframe begin.” In other words, banking regulators expect banks to attempt to determine the nature and extent of a cybersecurity incident before the 36-hour notice clock starts to run.
It is therefore important for banks to understand what types of events trigger the notice requirement. The new rule applies to “computer security incidents,” which are defined as:
[A]n occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
The rule then only requires notice to banking regulators of any “computer security incident” that leads to a “notification incident.” A “notification incident” is:
[A] computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Regulators provided a non-exhaustive list of examples of the types of incidents that require notification:
1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
5. A computer hacking incident that disables banking operations for an extended period of time;
6. Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections; and
7. A ransom malware attack that encrypts a core banking system or backup data.
Many of the examples require some amount of judgment by the affected institution to determine whether it triggers the notice requirement. As an illustration, example 6 in the non-exhaustive list requires notice if ransomware poses an “imminent” threat to the bank’s core business. Whether a threat is imminent will require assessment of qualified computer forensic firms, but also an assessment of the legal and business issues related to the affected system. For example, banks may need to answer whether encryption of loan officers’ email by ransomware is an imminent threat to a core business line.
Therefore, banks that experience a cybersecurity event should immediately engage a qualified computer forensic team to determine the scope and scale of the incident. Then, the organization should review with qualified counsel whether the event triggers the notice requirement.
The new rule becomes effective on April 1, 2022, with a compliance deadline of May 1, 2022.
Shareholder Attorney John Lande is chair of Dickinson Law’s Cybersecurity, Data Breach, & Privacy practice group. For more information on his practice, click here.