A proposed federal rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” would impose notification requirements on banking organizations and their service providers when cybersecurity incidents (as defined in the proposed rule) occur.

The rule was issued Jan. 12, 2021, by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC). The rule’s comment period concluded April 12.

The issuing agencies argue that the adoption of this proposed rule would support their missions by, among other things, requiring that agencies have earlier notice of emerging threats to individual banking organizations and the broader financial system. This notice may help limit losses in the event of significant data security incidents.

The proposed rule is largely seen to be in response to the recent security event at SolarWinds. In early 2020, SolarWinds was the subject of a major cybersecurity attack by foreign hackers. This attack left 18,000 customers vulnerable to hackers, as well as private companies and, significantly, multiple U.S. government agencies.

This proposed rule would establish two primary requirements: first, it would require a "banking organization" (as defined below) to notify its primary federal regulator of a "notification incident" no later than 36 hours after reasonably determining that a triggering event had occurred; second, it would require a "Bank Service Provider" to notify a banking organization immediately upon detecting the occurrence of an incident that materially impacts the service provider. Current public comments to the rule largely focus on the accelerated reporting timeline that the rule would require.

Who is covered

The proposed rule generally would apply to two types of entities: banking organizations and bank service providers.

It defines "banking organizations" as: 1) for the OCC, national banks, federal savings associations, and federal branches and agencies; 2) For the Federal Reserve Board, all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; Edge and agreement corporations; and; 3) for the FDIC, all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

It separately defines "bank service providers" as bank service companies or other persons “providing services to a banking organization that are subject to the Bank Service Company Act (BSCA)."

New reporting obligations under the proposed rule

The proposed rule imposes different obligations on organizations depending on whether the entity in question is a "banking organization" or a "bank service provider."

Proposed obligations for banking organizations

The proposed rule would require banking organizations to notify their primary federal regulator of any "computer-security incidents" that rise to the level of a "notification incidents" as soon as possible, but no later than 36 hours after the banking organization believes in good faith that the incident occurred. The proposed rule defines a "computer-security incident" as an occurrence that:

  1. Results in actual or potential harm to the confidentiality, integrity, or availability or an information system or the information the system processes, stores, or transmits; or
  2. Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

The proposed rule makes it clear, however, that not all computer-security incidents rise to the level of an incident triggering obligations under the proposed rule. Only "notification incidents" trigger notification obligations for banking organizations under the proposed rule. The proposed rule defines "notification incidents" as computer-security incidents that a banking organization believes in good faith could "materially disrupt, degrade, or impair:

  1. The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
  3. Those operations of a banking organization, including associated services, functions and support, as applicable the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

It additionally addresses the obligations of banking organizations that are subsidiaries are subject to the proposed rule’s notification requirements. The proposed rule would require subsidiary organizations that experience notification incidents to alert their parent banking organizations "as soon as possible" of the notification, as well as notifying its primary federal regulator. In those circumstances, a parent banking organization would also be expected to make a separate assessment of whether it has also suffered a notification incident, which would require that the parent organization notify its primary federal regulator. If a subsidiary of a banking organization is not itself a banking organization; however, it is not expected to adhere to a notification requirement under the proposed rule. Instead, the parent banking organization would be expected to assess whether the incident occurring at its subsidiary qualifies as a notification incident that requires reporting under the proposed rule.

The proposed rule gives examples of events that rise to the level of "notification incidents" and thus would trigger notification obligations for banking organizations. These events include:

  1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time;
  2. A failed system upgrade or change that results in widespread user outages for customers and bank employees;
  3. An unrecoverable system failure that results in activation of a banking organization's business continuity or disaster recovery plan;
  4. A computer hacking incident that disables banking operations for an extended period of time;
  5. Malware propagating on a banking organization's network that requires the organization to disengage all internet-based network connections; and
  6. A ransomware attack that encrypts a core banking system or backup data.

Under the proposed rule, banking organizations would be subject to these notification obligations regardless of whether the notification incident resulted from criminal acts, non-malicious computer-security incidents caused by software or hardware errors, or actions of staff managing those computer resources. Note that under the proposed rule, banking organizations would still be expected to contact relevant law enforcement or security agencies, as appropriate, following an incident that may be criminal in nature.

Proposed obligations for bank service providers

The proposed rule recognizes the increased reliance of banking organizations on bank service providers. Thus, it provides that the proposed rule would require a bank service provider that provides services described under the BSCA to notify at least two individuals at affected banking organization customers "immediately after experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours."

The proposed rule provides a list of services subject to the BSCA, which, if disrupted, degraded, or impaired, could trigger the proposed rules’ obligations for bank service providers. These services include: check deposit and sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, data processing, and bookkeeping, accounting, statistical, or similar functions performed for a depository institution.

Shorter deadlines could cause false reports

Although regulators acknowledge that the proposed rule would impose new obligations on banking organizations and their service providers, they assert that the costs of compliance would not be significant because the proposed rule just formalizes actions already present in entities' incident response plans. Specifically, regulators argue that banking organizations generally already include protocols for notifying the relevant regulators.

However, concerns persist over how this proposed rule would affect covered entities. If finalized, it will cut the amount of time given to banking organizations by half of the 72-hour standard enforced by the N.Y. Financial Services Department cyber-rules and now the GDPR. The agencies issuing the NPR estimate that it would only take three hours to evaluate the potentially triggering event and, if appropriate, notify the banking organization's federal regulator.

In reaching this estimate, the agencies accounted for time in which banking organizations would coordinate internal communications, consult with bank service providers where appropriate, and notify the banking organization's primary federal regulator. The agencies' estimate includes discussion of the incident among the banking organization's stakeholders, including the chief information officer, chief information security officer, compliance officers, and senior staff. Notably, this estimate does not account for any time in which a banking organization can consult with outside counsel or conduct various testing that is commonplace after a cybersecurity event.

Furthermore, the expedited notification requirement decreases the time banking organizations have to fully understand the scope and significance of the notification incident at issue. With that in mind, it’s easy to imagine the notification requirement leading to more “false alarm reporting,” where neither the organization nor those whose personal data is being held by organization are affected by what was initially thought to be a more significant incident.