Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="alignright wp-image-6847" src="https://www.bakerdatacounsel.com/wp-content/uploads/sites/5/2021/12/abstract-concept-pc-internet-GettyImages-993559176_1200x630_72dpi.jpg" alt="" width="438" height="230" />As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final rule that requires a federally regulated bank to notify its primary federal regulator within 36 hours after determining that a computer-security “notification incident” has occurred. We provide below a summary of the new notice requirement, which will apply to banking organizations and service providers starting in April 2022.

When does this final rule take effect?

The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. Regulators should provide supervised institutions logistics for notification in early 2022.<a href="#_ftn1" name="_ftnref1">[1]</a>



Which organizations have to comply with this rule? 

The rule applies to “banking organizations” and their “service providers,” and requires banking organizations to provide notification “as soon as possible” but, in any event, no later than 36 hours following an organization’s determination that a notification incident has occurred. The scope of banking organizations included under the ambit of each of these regulators varies, but it covers national banks, federal savings associations, and federal branches and agencies of foreign banks (OCC); insured state nonmember banks, insured state-licensed branches of foreign banks and insured state savings associations (FDIC); and U.S. bank holding companies and savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge Act and Agreement corporations (Board).

How does the rule affect banking service providers? 

The rule requires banking service providers to notify the banking organizations to which they provide service of computer-security incidents as soon as possible after determining that a computer-security incident “has caused, or is reasonably likely to cause, a material service disruption of degradation for four or more hours.” Service providers are to notify “at least one bank-designated point of contact at each affected banking organization customer” about these incidents. However, if the banking organization has not previously provided a bank-designated point of contact, the notifications can be directed through any reasonable means to the CEO and CIO of the banking organization or to two individuals with comparable responsibilities. The notification requirement does not apply to scheduled maintenance, testing or software updates previously communicated to a banking organization, suggesting that providers should provide notice if the maintenance, testing or software update would take at least four hours.

What are notification incidents under the rule?

Under the rule, notification incidents are computer-security incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, a banking organization’s:
<ul>
 	<li>ability to carry out banking operations, activities or processes or to deliver banking products and services to a material portion of its customer base in the ordinary course of business;</li>
 	<li>business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or</li>
 	<li>operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the U.S.</li>
</ul>
Notably, to qualify as a computer-security incident under the rule, an incident must cause actual harm to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits, providing entities a path to avoid notice in cases where an incident only threatens to cause one of these harms.

The rule’s commentary includes examples of incidents that trigger notice (for example, disruption by a denial-of-service attack is material when it lasts more than four hours, and a ransomware attack is material when it encrypts a “core” system or backup data). The materiality trigger is similar to the materiality prong of the notice provision in the New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies. The NYDFS requires notice for events “that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”<a href="#_ftn2" name="_ftnref2">[2]</a> But unlike the NYDFS notice requirement and many other U.S.-style notice laws—which suggest a focus on malicious, adversarial attacks—the new rule explicitly covers accidental system failures that create a material disruption (for example, failed system upgrades or changes that result in widespread user outages). This reflects the banking regulators’ interest in being notified of incidents that may affect a banking organization’s operations, regardless of the incident’s cause.

How does this rule affect incidents involving a compromise of sensitive customer information?

As the rule’s definitions make clear, federal banking regulators are concerned with material disruptions to critical services, such as denial-of-service attacks, which may or may not compromise the confidentiality of customer information. If the same security incident compromises sensitive customer information, banks may have additional obligations under the banking regulators’ existing Interagency Guidance on Response Programs for Security Breaches and state breach notification laws.

What actions should I take next?

Banking organizations should:
<ul>
 	<li>Look for their regulators’ specific guidance in early 2022 on logistics to report incidents.</li>
 	<li>Review and update existing incident response plans to ensure that notification incidents are properly escalated and addressed.</li>
 	<li>Review and update their agreements with service providers so that these third parties have explicit contractual obligations to comply with the requirements under the rule.</li>
</ul>
If you suspect that your organization is experiencing or has experienced a security incident, please feel free to contact BakerHostetler at our toll-free 24-Hour Data Breach Hotline, +1.855.217.5204.

<a href="#_ftnref1" name="_ftn1">[1]</a> Financial Institution Letter, Computer-Security Incident Notification Final Rule (Nov. 18, 2021), <a href="https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html">https://www.fdic.gov/news/financial-institution-letters/2021/fil21074.html</a>.

<a href="#_ftnref2" name="_ftn2">[2]</a> 23 CRR-NY 500.17(a)(2).

core/freeform

Seattle

Partner

Andreas T. Kaltsounis

New York

Counsel

Adam I. Cohen

Federal Banking Regulators Issue 36-Hour Computer-Security Incident Notification Requirement