On November 23, 2021, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) jointly announced a new bank rule, which directs banks to report a significant computer-security incident to their regulators as soon as possible but no later than 36 hours after discovery. The final regulations go into effect on April 1, 2022, with a compliance date of May 1, 2022.
This new regulation comes in the wake of a massive increase of attacks against the financial sector, which was reported during a congressional hearing to have increased by 238% in the first five months of 2020.
Another report, by Cybersecurity Ventures, projects that total cybercrime costs will reach $10.5 trillion by 2025 and a report by Check Point Software indicated that finance/banking organizations saw approximately 700 weekly attacks (per organization) during the fourth quarter of 2021.
What Qualifies as a Computer-Security Incident?
The final rule defines a computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
The rule also extends beyond incidents relating to attacks resulting in personal data breaches, but only requires computer-security incidents that rise to the level of a “notification incident” to be reported. The final rule defines a “notification incident” as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Some examples of incident types that could trigger notification obligations include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, failed system upgrades that result in widespread user outages and ransomware attacks. While the agencies have provided examples to clarify the scope of the notification, the final rule requires banking organizations to evaluate each incident on a case-by-case basis to determine if it meets the thresholds of a notification incident. If a bank encounters an incident and management is uncertain if it meets the thresholds, the agencies encourage banks to contact their regulator.
Which Banking Organizations are Included?
According to the guidance, banking organizations covered under the final rule include all depository institutions, holding companies, and certain other financial entities that are supervised by one or more of the agencies. The final rule also imposes new obligations on a bank’s service providers.
What is the Process of Giving Notice?
A covered bank will be required to provide notice via email, telephone or “other similar method” to its federal regulator as soon as possible but no later than 36 hours after the bank has determined a notification incident has occurred.
Once a service provider has determined an incident meets certain thresholds, they are required to notify their bank-designated contact via email or phone as soon as possible.
Conclusion
It will take some time for a bank to determine if a security incident meets the criteria for a notification incident. The agencies understand this and therefore the 36-hour timeframe will begin after the bank has determined a notification incident has occurred.
Regulators are also aware that an existing bank service provider agreement may have different notification requirements. However, they state that the “notification requirement created by this rule is independent of any contractual provisions, and therefore, bank service providers must comply even where their contractual obligations differ from the notification requirement in this rule.”
All covered financial institutions need to be prepared to properly manage computer-security incidents and ensure compliance with this new rule. We recommend your team prepare now by reviewing policies and procedures and revising where necessary. Organizations should also reach out to service providers to ensure they are prepared to comply and make sure the correct point-of-contact is on file with the correct contact information in case of an incident.
The full Rule can be found on the Federal Register website and contains detailed definitions of covered organizations and incidents, examples of incidents and notifications, and more. If you would like assistance in reviewing your current policies and procedures to ensure you remain compliant, please contact our Financial Institutions Group.