On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), Board of Governors of the Federal Reserve System (Council), and the Office of the Comptroller of the Currency (OCC) (collectively, “the agencies”) issued a common final rule establish IT security incident notification requirements for banking organizations (BOs) and their banking service providers (BSPs).
During the rule-making process, agencies initially aligned the definition of an IT security incident with language used by the National Institute of Standards and Technology (NIST). However, the agencies agreed that the NIST definition did not fully meet the objectives of the rule and therefore narrowed down the definition of the final rule. The final rule defines “computer security incident” as an event that causes real damage to the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits. The new definition focuses on the incidents most likely to materially and negatively affect BOs, while maintaining general consistency with the NIST definition.
Regardless of the updated definition of a cybersecurity incident and its applicability, this does not mean that every incident will require notification. The final rule amended the definition to include a “reasonably probable” standard, which would require an OB to notify its primary federal regulator when it has experienced a computer security incident that has a reasonable probability of disrupting or materially degrading the OB or its operations (see fn. 5 of the common final rule). At the same time, the new standard does not require notification for adverse reactions that are simply possible or imaginable.
The agencies have included a list of incidents that are generally considered a “notification incident” according to the final rule:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period (eg, more than 4 hours);
- A BSP used by a BO for its main banking platform to operate commercial applications experiences widespread system failures and the recovery time is indeterminable;
- A failed system upgrade or modification that results in widespread user outages for BO customers and employees;
- An unrecoverable system failure that results in the activation of a business continuity or disaster recovery plan of a BO;
- A hacking incident that disables banking operations for an extended period;
- Malware on a BO’s network that poses an imminent threat to core business lines or critical BO operations or that requires the BO to disengage any compromised products or information systems that support major ones business areas or critical operations of the BO Internet network connections; and
- A ransomware malware attack that encrypts a primary banking system or backup data.
These are just a few examples that would require notification under the Final Rule. However, the agencies also advised that each incident be analyzed on a case-by-case basis to determine if notification is required.
Each of the above organizations has different definitions for a banking organization. The definition of OCC includes national banks, federal savings associations, and federal branches and agencies of foreign banks. The Council’s definition includes all US bank holding companies and savings and credit holding companies, as well as member state banks, US operations of foreign banking organizations, and Edge and treaty companies. The FDIC definition includes all insured non-member state banks, branches of state licensed foreign banks, and insured state savings associations.
If an entity meets the definition of a BO, is subject to one of the three federal regulators, and has a “cybersecurity incident”, the entity must provide a notice under the final rule
as soon as possible and no later than 36 hours after the entity determines that a computer security incident has occurred. The final rule provides that the entity would notify the point of contact designated by the appropriate agency by email, telephone or other similar methods that the specific agency may prescribe. Therefore, it is recommended that an entity work with a lawyer to coordinate these efforts, as each agency may have different designated points of contact at the regional level.
The 36-hour deadline serves as an early warning to a BO’s primary federal regulator about a notification incident. Given this timeline, a BO can expect to provide general information regarding the incident, to the extent that such information is available.
Banking service providers
The final rule defines “banking service provider” as a banking service company or other person who provides covered services. “Covered Services” are services provided by a “person” that are subject to the Bank Service Company Act (12 USC 1861-1867). The final rule does not require BSPs to assess whether the incident reaches the level of a notification incident for a BO client. This responsibility lies with the banking organizations.
The final rule requires that a BSP notify at least one bank-designated point of contact in each affected customer banking organization as soon as possible when the BSP determines that it has experienced an IT security incident that has materially disrupted or degraded, or is reasonably likely to disrupt, or degrade, the Covered Services provided to BO for four hours or more. If the BO has not already provided a designated point of contact, notification should be made to the CEO and the BO’s CIO or two individuals with comparable responsibilities.
Agencies recognize that some BSPs may have contractual incident notification requirements that may differ from the final rule. However, the agencies believe that the final rule already aligns with these provisions. Therefore, a PASB should review its contracts to ensure that its notification provisions comply with the final rule.
The new final rule reduces the time within which a BO and a BSP must notify their regulators. Failure to notify on time may result in citations by the regulator. Therefore, it is strongly recommended that you engage a cybersecurity and data privacy advisor for any cybersecurity incident as soon as it occurs to comply with these notification obligations.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.