New Rule Requires Banks Notify Regulators of Security Incidents within 36 Hours

Federal bank regulatory agencies recently announced the approval of a final rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system (the “Final Rule”). The Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) jointly issued the Final Rule on November 18, 2021 and compliance is required by May 1, 2022. Under the Final Rule, a banking organization’s primary federal regulator must receive notification as soon as possible and no later than 36 hours after the banking organization determines that a significant computer-security incident, known as a “notification incident,” has occurred. Further, the Final Rule separately requires a bank service provider to notify each of its affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Definition of Notification Incidents

The Final Rule defines a “notification incident” as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  1. ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  3. operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the U.S.

Under the Final Rule, a “computer-security incident” is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. The Final Rule contains a non-exhaustive list of computer-security incidents, such as unrecoverable system failures; widespread system outages; cyber-related interruptions, such as distributed denial of service, hacking, and ransomware attacks; and other types of significant operational interruptions, including those that result in customers being unable to access their deposit and other accounts for an extended period of time.

Details of Notification

A banking organization must notify the appropriate federal regulator’s office or designated point of contact about a notification incident through email, telephone, or another similar method prescribed by the federal regulator. While the federal regulators found that email and telephone are the best methods currently available for effective notification, to account for evolving technology and forms of communication, the Final Rule allows regulators to prescribe other similar methods pursuant to which notice may be provided.

A bank service provider must notify at least one bank-designated point of contact at each affected banking organization customer. The Final Rule defines “bank service provider” to mean a bank service company or other person or entity that performs services subject to the Bank Service Company Act. A bank-designated point of contact is an email address, phone number, or any other contact previously provided to the bank service provider by the banking organization customer. If none, the bank service provider should notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.

The Final Rule does not set forth any specific content or format for these notifications. Rather, the Final Rule is designed to ensure that the appropriate federal regulator receives timely notice of significant emergent incidents, while providing flexibility to the banking organizations and bank service providers to determine the content of the notification.

Federal bank regulatory agencies issued the Final Rule in response to the increasing frequency and severity of cyberattacks targeting the financial services industry. Recently, driven by similar concerns, the Federal Trade Commission announced a proposed rule that would require non-banking financial institutions to report certain data breaches and other security incidents to the FTC (as discussed here).

A copy of the Final Rule is available here. If you have any questions about the Final Rule, any other cybersecurity incident notification requirements, or your organization’s incident response plan, please contact one of the authors.