The banking regulators of the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of Currency jointly announced a new rule requiring banking organizations in the United States to notify regulators no later than 36 hours after identifying a cybersecurity breach likely to materially disrupt banking operations. According to the final rule, such an incident could include large-scale distributed denial of service (DDoS) attacks that disrupt customers’ access to their accounts and hacking incidents that shut down a bank’s operations for an extended period. The final rule also places separate notification requirements on companies that provide services to banks, such as data processing companies.
The rule is set to go into effect on April 1, 2022, with a compliance date of May 1, 2022.
Banking Organization Reporting Requirements
The new 36-hour deadline is triggered when a bank suffers a “computer security incident” that rises to the level of a “notification incident.” 1
While this includes more than just cyberattacks that expose personal information, not every computer security incident will trigger the reporting requirement. A “computer security incident” is defined as an incident that “results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”2 A bank is only required to inform its regulator if it experiences a computer security incident that rises to the level of a “notification incident.” Notification incidents are those computer security incidents that disrupt or degrade, or are reasonably likely to disrupt or degrade, the bank’s:
- Ability to carry out banking operations, activities or processes, or ability to deliver banking products and services to a material portion of its customer base, in the ordinary course of business.
- Business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value.3
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.4
Once a banking organization determines that a notification incident has occurred, it has 36 hours to provide notice by email, phone or a similar method to its federal regulator. The final rule notes that the regulators realize that after a banking institution experiences a computer security incident, it may take time to determine if the incident rises to the level of a notification incident.5 The 36-hour countdown therefore only begins after such a determination has been made.
Bank Service Provider Reporting Requirements
Under the final rule, bank service providers include bank service companies or other persons that perform services covered by the Bank Service Company Act (BSCA), but not designated financial market utilities, which are separately regulated by the Federal Reserve. Financial technology companies could unwittingly fall under this provision since banks are not required to notify their vendors as to whether they are considered bank service providers. Financial technology companies should therefore inquire with their bank counterparties as to whether they have been identified as a bank service provider in any correspondence with a banking regulator and confirm whether they are subject to the BSCA and, accordingly, this new 36-hour notice requirement.
For bank service providers, the notification requirement is triggered once the service provider determines that they have experienced a computer security incident that “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade” covered services provided to a banking organization for four or more hours. This notification must be made “as soon as possible” by email or phone to at least one designated point of contact at each of its affected banking organization customers.6 This requirement is effective regardless of any differing notification requirements a bank service provider might have under contractual provision.
The final rule excludes scheduled testing, maintenance and soft updates the service providers have previously informed their customers about. However, if the scheduled maintenance, test or update goes beyond what was communicated to the banking organization customer and meets the notification standard, then this exception does not apply.
This final rule is a significant departure from the proposal opened for public comment at the beginning of this year, with the 36-hour timeline taking the place of “immediate” notification, along with a more tailored definition of “computer security incident” that gives rise to a “notification incident.” The April 1, 2022 effective date and May 1, 2022 compliance date reflect requests for more time to implement the rule.