On November 18, 2021, the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Council”) and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies Have issued a new rule (the “Rule”) that requires banking organizations and their banking service providers to report any “significant” cybersecurity incident within 36 hours of discovery, as set out in the Federal Register (see 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC). Due to the frequency and severity of cyber attacks against the financial services industry, the Rule aims to promote the timely notification of “computer security incidents” (as defined below) that can significantly affect and negative entities regulated by the Agencies. The rule is effective April 1, 2022, with full compliance required by May 1, 2022.
Which entities does this rule apply to?
The rule applies to “banking organizations” regulated by the FDIC, the board of directors and the OCC. The definition of a banking organization differs depending on the applicable federal regulator:
- FDIC: An insured depository institution supervised by the FDIC, including all insured non-member state banks, branches of state licensed foreign banks, and insured state savings associations
- Board of Directors: a US bank holding company, a US savings and loan holding company, a member state bank, the US operations of foreign banking organizations and an Edge Act or company agreement
- OCC: a national bank, a federal savings association or a branch or a federal agency of a foreign bank
The rule also applies to a “banking service provider”, which is defined as a “banking service company” or other person who provides “covered services”, which are services provided by a “person” who are subject to the law on banking services companies. (“BSCA”) (12 USC §§ 1861-1867). The services covered by the BSCA include sorting and accounting for checks and deposits, calculating and posting interest, preparing and sending checks or statements, and other office, accounting, accounting, statistics or the like such as data processing, online banking and mobile services. banking services. The definition of a banking service provider is the same for each federal regulator.
Reporting obligations of a “banking organization”
Under the Rule, a banking organization is required to notify its lead federal regulator (FDIC, Board, or OCC) of a “notification incident” by email, telephone, or other similar methods. lead regulator can prescribe. A banking organization must notify its senior federal official no later than 36 hours after the banking organization determines that the notification incident has occurred. While the Rule does not impose detailed requirements for the content of notices, the 36-hour deadline is likely to present operational challenges for a banking organization in the midst of a “notification incident”.
The Rule defines a “notification incident” as an “IT security incident that has materially disrupted or degraded, or is reasonably likely to significantly disrupt or degrade, the ability of a banking organization: (i) to carry out operations, activities or banking processes, or providing banking products and services to a significant portion of its customers, in the normal course of business; (ii) lines of business, including related operations, services, functions and support, which, in the event of failure, would result in a material loss of income, profits or franchise value; or (iii) operations, including related services, functions and supports, if any, the failure or interruption of which would constitute a threat to the financial stability of the United States. “
In addition, a “computer security incident” is defined as “an event that causes real damage to the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits ”. The Rule leaves the meaning of “actual damage” ambiguous, as it does not provide a definition for that term.
The Rule provides the following non-exhaustive list of “computer security incidents” that reach the level of a “notification incident” to help clarify the scope of notification incidents:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (eg, more than 4 hours);
- A banking service provider used by a banking organization for its primary banking platform to operate business applications is experiencing widespread system failures and the recovery time is indeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and employees of the banking organization;
- An unrecoverable system failure that results in the activation of a banking organization’s business continuity or disaster recovery plan;
- A hacking incident that disables banking operations for an extended period;
- Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business or critical operations, or that causes the banking organization to disengage any compromised product or information system that supports the lines business or critical operations of the Internet banking organization network connections; and
- A ransomware malware attack that encrypts a primary banking system or backup data.
Reporting obligations of a “banking service provider”
Under the Rule, a “bank service provider” is required to “notify at least one point of contact designated by the bank with each affected bank organization customer as soon as possible when the bank service provider determines that it has undergone an IT security incident that significantly disrupted or degraded, or is reasonably likely to disrupt or materially degrade, the covered services provided to that banking organization for four hours or more.
The Rule provides that a point of contact designated by the bank is an email address, telephone number or other contact previously provided to the banking service provider by the customer of the banking organization. If the customer of the banking organization has not previously provided a designated point of contact by the bank, a banking service provider should notify the managing director and the chief information officer of the customer banking organization, or two. persons with comparable responsibilities, by any reasonable means. No notification is required for any scheduled maintenance, testing, or software update that has previously been communicated to a customer of a banking organization.
Separate incident reporting obligations
The Rule has incident reporting obligations that are separate and distinct from other rules that require incident reporting obligations in the financial services industry. Unlike Gramm-Leach-Bliley Incident Response Program regulations which focus on unauthorized access to customer information, the rule focuses on computer security incidents that result in severe business disruption for banks or their service providers. Additionally, the rule will have a “faster” notification requirement than state data breach notification laws. The Rule’s notice period is also stricter than the regulator’s 72-hour notice requirement specified in the New York Department of Financial Services Cybersecurity Regulations promulgated in 23 NYCRR Part 500.
Take away food
The rule is in line with a recent trend for state and federal regulatory agencies to adopt reporting requirements for data breaches and cybersecurity incidents. Banking organizations should review and update existing security incident investigation and response policies to ensure that they reflect the new rule requirements and that they have the appropriate metrics and resources to quickly determine if a computer security incident reaches the level of a notification. incident. In addition, banking service providers should prepare for the Rule by establishing a list of bank-designated contact points with each client banking organization and ensuring that their internal policies are up to date in light of the Rule. . Banking organizations should also update their contracts with banking service providers to require compliance with the Rule.