New cyber incident reporting rules for U.S. banking organizations and their service providers take effect soon. It’s important to understand key definitions in the rules and prepare for complying with new requirements, which take effect April 1.
The rules from the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve (board), and the Federal Deposit Insurance Corporation (FDIC) are important because they broaden the types of incidents that require agencies to be alerted, and reflect the fact that banks have become increasingly reliant on third parties for essential services.
There is hope that these rules will prevent widespread outages for customers and banking organization employees, and protect banks from disruptions that impact business operations and customer service.
Two Primary Requirements
The final rule contains two primary requirements: First, banking organizations must notify their primary federal regulator of any “computer-security incident that rises to the level of a notification incident” as soon as possible—but no later than 36 hours after a determination that such an incident has occurred.
Not all incidents are notification incidents—only those that “have materially affected, or are reasonably likely to materially affect—the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.”
Second, a bank service provider must notify each affected banking organization as soon as possible when the provider determines it has experienced a computer-security incident that “has caused, or is reasonably likely to cause a material service disruption or degradation for four or more hours.”
This allows the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization, and thus whether it must notify its regulator.
What Is a ‘Banking Organization’?
Whether one is a “banking organization” and “bank service provider” subject to the rule depends on which agency is your primary regulator. For the OCC, “banking organizations” include national banks, federal savings associations, and federal branches and agencies of foreign banks.
For the board, “banking organizations” include U.S. bank holding companies and savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge and agreement corporations.
For the FDIC, “banking organizations” include all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations. For all three agencies, it excludes supervised, designated financial market utilities (FMUs).
A “bank service provider” is defined as “a bank service company or other person that performs covered services,” although this also excludes designated FMUs.
What Are ‘Incidents’?
Two other definitions that are key to understanding this rule include: (1) “computer-security incident” and (2) “notification incident.”
A “computer-security incident” is an occurrence that: results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
A “notification incident” is a “computer-security incident” that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade” a banking organization’s ability to carry out business operations and activities, as further defined in the rule.
A “near miss” or attempt would only be reportable if it results in actual (or reasonably likely) harm to the extent the banking organization determines it is a reportable notification incident.
Timing of Notification
Despite comments advocating for 72 hours, agencies believe that 36 hours is appropriate.
However, they do not expect a banking organization would be able to determine that a notification incident has occurred immediately upon awareness of the incident, and only “once the banking organization has made such a determination would the 36-hour time frame begin.”
Method, Content of Notification
Although the agencies concluded that email and telephone are the best currently available notification methods, they built flexibility into the rule by requiring notification by email, telephone “or other similar methods” that the individual agencies may prescribe.
As for content, the requirement is intended as an “early alert”, and agencies anticipate banking organizations will only share general information known at the time of the incident. No specific information, form, or template is required other than that a notification incident has occurred.
Steps for Compliance
The rule takes effect April 1 and compliance begins on May 1.
In preparing for compliance, banking organizations should review internal policies and revise them if needed. This includes:
- Ensuring proper technical, administrative, and physical safeguards are in place to discover computer-security incidents, as well as policies and procedures to determine whether they rise to the level of a notification incident;
- Maintaining appropriate regulatory points of contact so that the agency can be quickly contacted in the event notification is required;
- Proactively designating and distributing internal contact information to banking service providers; and
- Reviewing service provider agreements to ensure that any notification provisions are compliant with the new rule, and that agreed upon methods of communication are proactively identified and included.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Write for Us: Author Guidelines
Brandon N. Robinson is a partner at Balch & Bingham LLP. He counsels clients regarding cybersecurity and data privacy issues such as data breach management and response, and compliance with federal, state, and sectoral privacy laws and regulations.