On Nov. 18, 2021, federal bank regulatory agencies approved a final rule requiring banking organizations to notify regulators of “any significant computer-security incident” as soon as possible and no later than 36 hours after a determination that such an incident occurred.[1]
The rule will take effect on April 1, 2022. Compliance is required for banking organizations and their bank service providers by May 1, 2022.
The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corp. (FDIC) and the Board of Governors of the Federal Reserve System (Board) (together, the “agencies”) issued the final rule, which will require a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.” A “computer-security incident” is defined as one that results in “actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” A “notification incident” is defined as “a computer-security incident” that has disrupted or degraded, or is reasonably likely to disrupt or degrade, a banking organization’s
(i) ability to carry out banking operations, activities or processes, or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or
(iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
In addition, the rule will require bank service providers to notify at least one designated point of contact at any affected banking organization customer as soon as possible when the provider experiences any computer-security incident that has disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization customer for four or more hours.
Cyberattacks targeting banking organizations have become more frequent and severe over time. In addition to threatening the stability of the financial system, these cyberattacks can harm banking organizations’ networks, data and systems, and potentially disable their operations or prevent customers from accessing their accounts.
The agencies noted that they already learn about certain computer-security incidents based on notification under the Bank Secrecy Act[2] and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice[3] but stated that “these standards do not include all computer-security incidents of which the agencies, as supervisors, need to be alerted and would not always result in timely notification to the agencies.”[4]
In December 2020, the agencies first issued a notice of proposed rulemaking to establish computer-security incident notification requirements for banking organizations and their bank service providers.[5] The agencies received 35 comments from banks, service providers and advocacy groups.[6]
After considering and incorporating industry comments, the agencies narrowed the definition of “notification incident” so that it focuses on actual, rather than potential, harm. Unlike the final rule, the proposal had defined “notification incident” as a computer-security incident that could materially disrupt, degrade or impair the viability of the banking organization’s operations; result in customers being unable to access their deposit and other accounts; or impact the stability of the financial sector. According to the agencies, “most commenters argued that the proposed definition of ‘notification incident’ was overly broad and should be narrowed and only require reporting of incidents involving actual harm.”
The agencies also changed the standard for defining when the rule is triggered for banking organizations. The proposal would have required banking organizations to notify their primary federal regulator within 36 hours of when they believed in good faith that such a “notification incident” had occurred. After considering comments, the agencies replaced the “good faith” standard with the more objective and concrete standard based on a banking organization’s or bank service provider’s determination that an incident had occurred.
As for the bank service provider rule, the proposal would have required bank service providers to notify at least two individuals at each affected banking organization customer. After receiving comments, the agencies changed the rule to require that notice be provided to at least one bank-designated point of contact instead of at least two individuals.
Banking organizations and bank services should ensure that they comply with the rule beginning on May 1, 2022.
Any banking organization that falls into one of the agencies’ definitions should comply with the rule. For the OCC, the term “banking organizations” includes national banks, federal savings associations, and federal branches and agencies of foreign banks. For the Board, “banking organizations” includes all U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and Edge and agreement corporations. For the FDIC, “banking organizations” includes all insured state nonmember banks, insured state-licensed branches of foreign banks and insured state savings associations. For all three agencies, “banking organizations” does not include designated financial market utilities.
Banking organizations are responsible for assessing whether an incident rises to the level of a “notification incident.” The rule does not require a bank service provider to make that assessment. The agencies noted that they generally will not cite a banking organization because a bank service provider fails to comply with its notification requirement. For bank service providers, the agencies noted that the new rule is independent of any existing contractual provisions, and those providers therefore should comply with the notification requirement in the rule even when their contractual obligations differ from it.
According to the agencies, this rule will “help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic.”
[1] Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corp., Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Nov. 18, 2021), https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20211118a1.pdf.
[2] See 31 U.S.C. 5311 et seq.; 31 CFR subtitle B, chapter X.
[3] See 15 U.S.C. 6801; 12 CFR pt. 30, app’x B, supp. A (OCC); 12 CFR part 208, app’x D-2, supp. A; 12 CFR 211.5(l); 12 CFR part 225, app’x F, supp. A (Board); 12 CFR part 364, app’x B, supp. A (FDIC).
[4] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, at 7.
[5] 86 FR 2299 (Jan. 12, 2021).
[6] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, at 9 n.14 (“Comments can be accessed at: https://www.regulations.gov/document/OCC-2020-0038-0001 (OCC); https://www.federalreserve.gov/apps/foia/ViewComments.aspx?doc_id=R-1736&doc_ver=1 (Board); and https://www.fdic.gov/resources/regulations/federal-register-publications/2021/2021-computer-security-incident-notification-3064-af59.html (FDIC).”)