On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.[1] The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
The final rule represents an effort by federal regulators to promote early awareness of emerging cyber threats to banking organizations and to the broader financial system.
Background
In January 2020, the FDIC and the OCC issued a joint statement that warned about the heightened cybersecurity risks faced by financial institutions and that encouraged those institutions to reevaluate the adequacy of their cyber safeguards.[i] More recently, on January 12, 2021, the FDIC and the OCC, together with the Board, issued a notice of proposed rulemaking to establish computer-security incident notification requirements for banking organizations and for bank service providers.[ii]
Over the next several months, the agencies received public comments addressing, for example, the appropriate definition of “computer-security incident,” the threshold for when a computer-security incident becomes a “notification incident” requiring notification under the rule, and the timing and method of notification to regulators. This included input from the American Bankers Association, which put together a working group of 100 members that advocated for a flexible approach to notification compatible with the needs of the financial industry.[iii]
Subsequently, in a public statement announcing the final rule on November 18, 2021, FDIC Chairman Jelena McWilliams explained that the new rule “seeks to allow the banking supervisors to be informed of the most significant cyberattacks in a timely fashion while avoiding unnecessarily difficult or time-consuming reporting obligations.”[iv] The FDIC, the OCC, and the Board stressed that the prompt notification of reportable incidents will have many benefits, including helping regulators to determine whether an incident is isolated or part of a larger pattern within the financial system and to respond more quickly to potential liquidity events.[v]
The Final Rule
The final rule has two main components: (1) a requirement for banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur; and (2) a requirement for bank service providers to notify their bank customers as soon as possible if they experience a computer-security incident that has caused, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.
Notification by Banking Organizations
The final rule’s notification requirement for “banking organizations” applies to any “computer-security incident” that rises to the level of a “notification incident.”[vi] The rule defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”[vii] Such an incident becomes a “notification incident” when it materially disrupts a banking organization’s banking operations, business lines, or associated services, or is reasonably likely to do so.[viii]
For purposes of the FDIC’s jurisdiction, “banking organizations” include all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations.[ix] For the OCC, “banking organizations” include national banks, federal savings associations, and federal branches or agencies of foreign banks.[x] And for the Board, “banking organizations” include U.S. bank holding companies, savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and Edge or agreement corporations.[xi]
In announcing the rule, the regulators provided a non-exhaustive list of incidents that would trigger the reporting requirement, including:
- large-scale distributed denial of service attacks;
- widespread system outages affecting core banking platforms;
- widespread user outages for customers and banking organization employees;
- unrecoverable system failures that result in activation of a banking organization’s business continuity or disaster recovery plan;
- computer hacking incidents that disable banking operations for an extended period of time;
- malware that poses an imminent threat to the banking organization’s core business lines or critical operations; and
- ransomware attacks that encrypt a core banking system or backup data.[xii]
Notification by Bank Service Providers
The rule also contains a separate requirement for “bank service providers,” which are defined as companies that provide services to banks pursuant to the Bank Service Company Act, to notify their banking organization customers as soon as possible after experiencing certain computer-security incidents. Incidents requiring notification are those that materially disrupt—or are reasonably likely to materially disrupt—services provided by a bank service provider to its customers for four or more hours.[xiii]
Banking organizations that receive such a notification from a bank service provider must then determine whether the incident rises to the level of a “notification incident” requiring, in turn, notification to their primary federal regulator.
Takeaways
The effective date of the final rule is April 1, 2022, with a compliance date of May 1, 2022.[xiv]
Banking organizations should use the time prior to the rule’s effective date to work with their internal personnel and outside advisors to revise their policies to implement the new rule’s requirements, especially given the short 36-hour time frame for notifications. This should include adopting internal protocols for identifying an incident and for reporting the incident to the appropriate agency. Additionally, banks and bank service providers should work collaboratively to designate communication processes to ensure that banking organizations receive and process notice of incidents in a timely manner.
[1] The final rule was subsequently published in the Federal Register on November 23, 2021. See Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66424 (Nov. 23, 2021).
[i] See FDIC, Heightened Cybersecurity Risk Considerations, FIL-03-2020 (Jan. 16, 2020), https://www.fdic.gov/news/financial-institution-letters/2020/fil20003.html.
[ii] Office of the Comptroller of the Currency, Computer-Security Incident Notification: Notice of Proposed Rulemaking, OCC Bulletin 2021-3 (Jan. 14, 2021), https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-3.html.
[iii] ABA Banking Journal, Agencies Finalize Rule Regarding Notification of Cyber Attacks (Nov. 18, 2021), https://bankingjournal.aba.com/2021/11/agencies-finalize-rule-regarding-notification-of-cyber-attacks/.
[iv] FDIC, Statement by FDIC Chairman Jelena McWilliams on the Final Rule on Computer-Security Incident Notification at the FDIC Board Meeting (Nov. 18, 2021), https://www.fdic.gov/news/speeches/2021/spnov1821.html.
[v] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66424, 66437 (Nov. 23, 2021), https://www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf.
[vi] Id. at 66442–44.
[vii] Id. at 66442.
[viii] Ibid.
[ix] Id. at 66444.
[x] Id. at 66442.
[xi] Id. at 66443.
[xii] Id. at 66431.
[xiii] Id. at 66442.
[xiv] Id. at 66438.