On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Board of Governors of the Federal Reserve System (the “Board”), and the Federal Deposit Insurance Corporation (the “FDIC”) issued a final rule (the “Final Rule”) that requires any financial institution subject to their respective jurisdictions to notify its primary federal regulator of any “computer security incident” that rises to the level of a “notification incident,” as those terms are defined in the Final Rule, as soon as possible and no later than 36 hours after the institution determines that a notification incident has occurred.[1] The Final Rule also requires a service provider to a financial institution to notify each affected institution as soon as possible when the service provider determines that it has experienced a computer security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
The Final Rule follows a proposed rule announced by the same regulators in December 2020 (the “Proposed Rule”) and reflects some substantive revisions to the Proposed Rule. The federal regulators received 35 comments from banks, service providers, and consumer advocacy groups, the majority of which supported the Proposed Rule and the need for prompt notice of significant data incidents involving financial institutions. However, some commenters took issue with definitions provided under the Proposed Rule and some of the specific notification provisions for financial institutions and service providers. The Final Rule takes effect April 1, 2022, and compliance is required beginning May 1, 2022.
For those financial institutions not subject to the jurisdiction of the OCC, the Board or the FDIC, note that the Federal Trade Commission (the “FTC”) is in the process of proposing amendments to the Safeguards Rule that would require nonbank financial institutions subject to the FTC’s jurisdiction to report certain data breaches and other security events to the FTC.
Relevant Definitions
Only those computer security incidents that rise to the level of notification incidents are required to be reported to federal regulators.
The Final Rule defines a “computer security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” Note that this is more limited than the definition in the Proposed Rule, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.
The Final Rule defines a “notification incident” as “a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
Reporting by Financial Institutions
Under the Final Rule, a financial institution must notify its primary federal regulator of a notification incident (as defined above) as soon as possible and no later than thirty-six (36) hours after the institution determines that a notification incident has occurred. Note that this provides financial institutions with half as much time to report an incident as is allowed under either the EU’s General Data Protection Regulation or the New York Department of Financial Services’ cybersecurity regulations. The federal regulators believe that the more onerous timing requirement is offset by the narrowed definition of “computer security incident” in the Final Rule compared to the Proposed Rule.
A financial institution may give notice in writing or verbally (including email or telephone) to the institution’s designated point-of-contact at the institution’s primary federal regulator. The federal regulators anticipate that financial institutions will share general information about the facts known at the time of the incident. No specific information is required in the notification other than that a notification incident has occurred. The Final Rule does not prescribe any form or template. The notifications, and any information related to the incident, would be subject to the regulator’s confidentiality rules.
The introduction to the Final Rule acknowledges that a financial institution will need to undertake a reasonable investigation to determine whether a notification incident has occurred and explicitly provides that the 36-hour notification period only starts once the financial institution has finally determined that a notification incident has occurred.
Helpfully, the Final Rule also acknowledges that not all data incidents are reportable and provides a non-exhaustive list of events that would rise to the level of a notification incident:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
- A service provider that is used by a financial institution for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and financial institution employees;
- An unrecoverable system failure that results in activation of a financial institution’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware on a financial institution’s network that poses an imminent threat to its core business lines or critical operations or that requires it to disengage any compromised products or information systems that support its core business lines or critical operations from Internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.
The Final Rule provides that affiliated financial institutions each have separate and independent notification obligations. Each financial institution needs to make an assessment of whether it has suffered a notification incident about which it must notify its primary federal regulator. Subsidiaries of financial institutions that are not themselves financial institutions subject to the Final Rule do not have notification requirements under the Final Rule. However, if a computer security incident were to occur at such a subsidiary, the parent financial institution would need to assess whether the incident was a notification incident for it, and if so, it would be required to notify its primary federal regulator.
Reporting by Service Providers
Only service providers performing services for a financial institution and that are subject to the Bank Service Company Act (the “BSCA”) are subject to the Final Rule. The Final Rule does not further define the services that are subject to the BSCA. The Final Rule requires a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours.”
Under the Final Rule, a service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution’s chief executive officer and chief information officer (or two individuals with comparable responsibilities).
The introduction to the Final Rule indicates that the federal regulators do not anticipate the Final Rule to add a significant burden to service providers, as many service providers are already subject to contractual requirements to provide notification to financial institutions in the event of a data incident.
Next Steps
In light of the Final Rule, we recommend the doing the following prior to the May 1, 2022, compliance deadline:
- Financial institutions and service providers subject to the Final Rule should review their incident response plans and other relevant policies and procedures to ensure that they will be able to satisfy the onerous notice obligations under the Final Rule. For example, such plans and policies should provide for the escalation of suspected computer security incidents to a specific individual (preferably identified by his or her title) as soon as reasonably practicable.
- Financial institutions should adopt procedures and develop relevant standards that will enable them to determine quickly whether a computer security incident rises to the level of a notification incident.
- Financial institutions should include updated contact information for their primary regulators and service providers should document the appropriate points of contact for their customers specifically for the purpose of reporting computer security incidents.
- Banks should update their form service provider agreements as well as agreements with current service providers to impose notice requirements that track the Final Rule.
[1] See 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC.