Proposed Computer-Security Incident Rule Would Impose Significant Notification Obligations – Finance and Banking

In Short

The Situation: On December 18, 2020, the Office
of the Comptroller of the Currency, the Federal Deposit Insurance
Corporation, and the Board of Governors of the Federal Reserve
System (the "Federal Banking Agencies") jointly proposed
a new rule (the "Proposed Rule") that would impose
significant new notification obligations on banking organizations
and their service providers in the event of a
"computer-security incident" that materially disrupts,
degrades, or impairs certain important business operations.

The Result: The Proposed Rule would expand the
types of cyber incidents that require regulatory notification and
accelerate the time period within which notification must occur for
the expanded category of reportable cyber incidents.

Looking Ahead: Banking organizations and their
third-party service providers should proactively assess their risk
management, information security, technology and vendor management
compliance programs, and business continuity and incident response
plans to determine whether current policies and procedures will
need to be updated in the event that the Proposed Rule is adopted
without significant changes.

The frequency and severity of cyberattacks has increased
significantly in recent years. In light of this growing threat and
concerns regarding the disruptive effects these attacks can have on
the business operations of financial institutions, on December 18,
2020, the Federal Banking Agencies proposed a new rule that would
alter the current notification obligations of banking organizations
and their service providers. The Federal Banking Agencies issued
the Proposed Rule in response to two perceived gaps in existing
regulations: (i) the lack of notification obligations with respect
to cyber incidents that disrupt business operations but do not
involve the unauthorized access to or acquisition of sensitive
customer information; and (ii) the absence of a requirement to
provide "an early alert to the banking organization's
primary federal regulator" regarding such incidents.

Proposed Notification Requirements

The Proposed Rule would establish new cyber incident
notification triggers for banking organizations and their service
providers, mandating notice of any "computer-security
incident" by banking organizations to their primary federal
regulator within 36 hours and by third-party service providers to
at least two individuals at the affected banking organization
customer immediately, if such an incident could disrupt, degrade,
or impair the services it provides for 4 hours or more.

Specifically, the Proposed Rule would require a banking
organization to notify its primary federal regulator when the
organization determines that it was the victim of "any
'computer security incident' that rises to the level of a
'notification incident.'" A "computer security
incident" is an incident that results in "actual or
potential harm to the confidentiality, integrity, or availability
of an information system or the information that the system
processes, stores, or transmits; or constitutes a violation or
imminent threat of violation of security policies, security
procedures, or acceptable use policies." The term is
comparable to the current term used by the National Institute of
Standards and Technology.

A "notification incident" is defined as a
"computer security incident" that an entity
"believes in good faith could materially disrupt, degrade, or
impair the ability of the banking organization to carry out banking
operations, activities, or processes, or deliver banking products
and services to a material portion of its customer base, in the
ordinary course of business; any business line of a banking
organization, including associated operations, services, functions
and support, and would result in a material loss of revenue,
profit, or franchise value; or those operations of a banking
organization, including associated services, functions and support,
as applicable, the failure or discontinuance of which would pose a
threat to the financial stability of the United States."

The Proposed Rule provides a non-exhaustive illustrative list of
events that the Federal Banking Agencies would consider
"notification incidents" including: (i) denial-of-service
attacks that disrupt customer account access for more than four
hours; (ii) widespread system outages experienced by bank service
providers with undeterminable recovery times; (iii) hacking
incidents that disable banking operations for an extended period of
time; and (iv) ransomware attacks that encrypt core banking systems
or backup data.

For bank service providers, the Proposed Rule would require
notification to affected banking organization customers when the
service provider determines that it suffered a computer-security
incident "that it believes in good faith could disrupt,
degrade, or impair" certain important services provided to
banking organizations for four or more hours.

The Proposed Rule also would accelerate the time period within
which notification must occur. Banking organizations would be
required to notify their primary regulator of a "notification
incident" as soon as possible, but no later than 36 hours
after the organization believes in good faith that such an incident
occurred. Bank service providers would need to notify "at
least two individuals at affected banking organization customers
immediately after experiencing a computer-security incident that it
believes in good faith could disrupt, degrade, or impair services
provided subject to the Bank Service Company Act for four or more
hours."

The Proposed Rule would cover a broader set of cyber-related and
computer-security incidents than required by existing federal
regulatory requirements for notice and reporting of cyber- and
information-security incidents under the Bank Secrecy Act, the Bank
Service Company Act, and the Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer
Notice.

The Proposed Rule would apply to all types of banking
organizations that are subject to regulation by the Agencies,
including federally chartered banks and branches and agencies of
non-U.S. banks, state-chartered member and nonmember banks,
state-licensed branches of non-U.S. banks, U.S. bank holding
companies and U.S. operations of foreign banking organizations, and
would impose obligations on bank service providers and any
companies that provide services under the Bank Service Company Act
as well. Banking organizations and their service providers should
remain cognizant of state laws and regulatory requirements for
notice and reporting of cyber-related and computer-security
incidents once new federal requirements are adopted.

Implications of the Proposed Rule

The Proposed Rule would significantly change the current breach
notification framework for banking organizations and service
providers that become victims of cyberattacks. It would create new
triggers for notification beyond potential impact on customer data,
requiring banking organizations to quickly undertake the additional
assessment of whether cyber incidents rise to the level of a
"notification incident" or whether a bank service
provider's computer security incident could disrupt important
services, in addition to investigating whether the incident
involved sensitive customer information. Significantly, these new
reporting requirements target situations in which business
operations are disrupted and will add to the substantial burden
banking organizations and service providers already face in the
early stages of responding to such an incident. The short incident
reporting deadlines, and follow-on continuing engagement with
regulators or banking organizations could divert attention and
resources away from the immediate business need to restore
operations and mitigate impacts.

In an attempt to diminish this possible impact, the Federal
Banking Agencies note that the proposed notification "is not
intended to provide an assessment of the incident" at the time
of reporting, and would not impose any particular form of notice on
banking organizations or service providers or specify the
information that the notice must include.

The Federal Banking Agencies are accepting public comment on the
Proposed Rule for 90 days after publication in the Federal
Register.

Comments are closed.