On November 18, 2021, the Office of the Comptroller of the Currency (“OCC”), the Board of Governors of the Federal Reserve System (“Board”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies”) issued a new rule (the “Rule”) that requires banking organizations and their bank service providers to report any “significant” cybersecurity incident within 36 hours of discovery, as set forth in the Federal Register (see 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC). Due to the frequency and severity of cyberattacks on the financial services industry, the Rule is intended to promote the timely notification of “computer-security incidents” (as defined below) that may materially and adversely affect entities regulated by the Agencies. The Rule takes effect on April 1, 2022, with full compliance required by May 1, 2022.
Which entities does this Rule apply to?
The Rule applies to FDIC, Board, and OCC regulated “banking organizations.” The definition of a banking organization differs based on the applicable federal regulator:
- FDIC: an FDIC-supervised insured depository institution, including all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations
- Board: a U.S. bank holding company, U.S. savings and loan holding company, state member bank, the U.S. operations of foreign banking organizations, and an Edge Act or agreement corporation
- OCC: a national bank, federal savings association, or federal branch or agency of a foreign bank
The Rule also applies to a “bank service provider,” which is defined as a “bank service company” or other person who performs “covered services,” which are services performed by a “person” that are subject to the Bank Service Company Act (“BSCA”) (12 U.S.C. §§ 1861–1867). Services covered by the BSCA include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, online banking, and mobile banking services. The definition of a bank service provider is the same for each federal regulator.
Reporting obligations of a “banking organization”
Under the Rule, a banking organization is required to notify its primary federal regulator (FDIC, Board, or OCC) about a “notification incident” through email, telephone, or other similar methods that the primary regulator may prescribe. A banking organization must notify its primary federal regular no later than 36 hours after the banking organization determines the notification incident has occurred. Even though the Rule does not impose detailed notice content requirements, the 36-hour timeframe will likely present operational challenges for a banking organization in the midst of a “notification incident.”
The Rule defines a “notification incident” as a “computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
Moreover, a “computer-security incident” is defined as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” The Rule leaves the meaning of “actual harm” ambiguous, as it does not provide a definition for this phrase.
The Rule provides the following non-exhaustive list of “computer-security incidents” that rise to the level of a “notification incident” to help clarify the scope of notification incidents:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
- A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.
Reporting obligations of a “bank service provider”
Under the Rule, a “bank service provider” is required to “notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”
The Rule provides that a bank-designated point of contact is an email address, phone number, or any other contact(s) previously provided to the bank service provider by the banking organization customer. If the banking organization customer has not previously provided a bank-designated point of contact, a bank service provider shall notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means. Notification is not required for any scheduled maintenance, testing, or software update that has been previously communicated to a banking organization customer.
Distinct incident reporting obligations
The Rule has distinct incident reporting obligations that are separate and apart from other rules that require incident reporting obligations in the financial services industry. As opposed to the incident response program regulations in the Gramm-Leach-Bliley Act that focus on unauthorized access to customer information, the Rule focuses on computer security incidents that result in severe business disruptions to banks or their service providers. In addition, the Rule will have a “faster” notice requirement than state data breach notification laws. The Rule’s notification timeframe is also more aggressive than the 72-hour regulator notice obligation specified in the New York Department of Financial Services Cybersecurity Regulations promulgated in 23 NYCRR Part 500.
The Rule is consistent with a recent trend of state and federal regulatory agencies enacting reporting requirements pertaining to data breach and cybersecurity incidents. Banking organizations should review and update existing security incident investigation and response policies to ensure that these reflect the new requirements in the Rule and that they have appropriate measures and resources in place to quickly determine whether a computer-security incident rises to the level of a notification incident. In addition, bank service providers should prepare for the Rule by compiling a list of bank-designated points of contact at each banking organization customer and ensuring that their internal policies are up to date in light of the Rule. Banking organizations should also update their contracts with bank service providers to require compliance with the Rule.