US Banking Regulators Propose a 36 Hour Cyber Incident Reporting Rule
January 12, 2021
Behnam Dayanim, Jackie Cooney and Daniel Julian
Federal financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) (collectively, the “Regulators”), issued on December 18, 2020, a Notice of Proposed Rulemaking titled “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.”
Existing financial services (GLBA) regulatory guidance already requires supervised banking organizations to notify their primary federal regulators “as soon as possible” if they become aware of an incident involving unauthorized access to, or use of, sensitive customer information. However the existing requirements are narrow in scope and limited to incidents that result in the compromise of sensitive customer information.
The proposed rule would expand the reporting requirements to require supervised banking organizations to notify their primary federal regulators in the event of any “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also apply to companies that provide certain services to those banks, including data processing. Service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”
The intent of the proposed rule is to provide the Regulators with an early warning of significant computer-security incidents, and would require notification as soon as possible and no later than 36 hours after a supervised banking organization determines that an incident has occurred. The Regulators note that the notification requirement is not intended to provide a complete and thorough assessment of any particular incident.
In the proposed rule a “computer-security incident” is defined as “an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” (Emphases added.)
As noted above, notice to Regulators would be required where a “computer-security incident” escalates to the level of a “notification incident.” The proposed rule defines a “notification incident” as a computer-security incident that a supervised banking organization believes “in good faith could materially disrupt, degrade, or impair
- the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
In the supplementary information section of the proposed rule, Regulators provide a “non-exhaustive list of events that would be considered “notification incidents” under the proposed rule:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
- A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and bank employees;
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware propagating on a banking organization’s network that requires the banking organization to disengage all Internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.”
Regulators acknowledge that a “computer-security incident” may result from non-malicious hardware or software, or from human error – and further explain that “[o]ther computer-security incidents, such as a limited distributed denial of service attack that is promptly and successfully managed by a banking organization, would not require notice to the appropriate agency.”
Interested parties may submit comments within 90 days following publication of the proposed rule in the Federal Register.