Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.
The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).
Understandably, a press release on December 18, 2020 describing the agencies’ proposed rule may have fallen off everyone’s radar, because it was another six weeks before the proposed rule was published in the Federal Register. The Federal Register publication confirmed that the deadline to submit comments on the proposed rule is April 12, 2021. Instructions for submitting comments are available here on pages 2399-2400 of the Federal Register.
The OCC, Board, and FDIC are proposing to amend their respective regulations in 12 CFR Parts 52, 225, and 304, for banking organizations and bank service providers to require prompt notification of any computer-security incident that rises to the level of a notification incident. Each of these terms is defined in the proposed rule:
- Banking organization means a national bank, federal savings association, or a federal branch or agency of a foreign bank.
- Bank service provider means a bank service company or other person providing services to a banking organization that is subject to the Bank Service Company Act.
- A computer-security incident is an occurrence that
- Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the data processed, stored or transmitted by that system;
- Constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.
- A notification incident is a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair –
- The ability of the banking organization to carry out banking operations, activities, processes, or deliver banking products and services to a material portion of its customer base;
- Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Requirement to Notify
The agencies aligned their definition of a computer-security incident with existing definitions used by the National Institute of Standards and Technology and they expressly recognized that not every computer-security incident will be significant enough to also be a notification incident. The proposed rule sets forth two different reporting requirements – one for banking organizations following a notification incident; the second requirement would be for bank services providers following certain computer-security incidents.
Under the proposed rule, if a banking organization believes in good faith that a notification incident has occurred, then it will be required to notify its agency of the incident verbally or in writing (through any technological method) as soon as possible and no later than 36 hours after the notification incident has been determined.
Similarly, if a bank service provider subject to the Bank Service Company Act experiences a computer-security incident that the provider believes in good faith could disrupt, degrade, or impair services provided for a period of four hours or longer, then the provider will be required to immediately notify at least two individuals at the affected banking organization customers.
Potential Consequences for Regulated Entities
In the preamble to the proposed rule, the agencies expressly acknowledge that not every computer-security incident will constitute a notification incident, and that banking organizations will not be able to make those determinations immediately. The preamble includes a non-exclusive list of seven types of computer-security incidents that would be considered a notification incident. However, each incident might require a reasonable amount of time to analyze the event before a determination can be made. For that reason, the 36-hour time limit will not begin until a banking organization has determined that such notification is required. 86 Fed. Reg. 2302.
The agencies contend that the costs versus benefits tradeoff for the proposed rule is minimal. If the agencies’ data is accurate, then the proposed rule would result in 150 notification incidents each year and require three hours of staff time to complete the notification process. Moreover, many banking organizations and service providers have already implemented procedures to notify stakeholders when a cyber/data security incident is suspected, indicating that the proposed rule is leveraging procedures that would be performed regardless of the new requirement. Additionally, the proposed rule does not include new consequences or penalties for not satisfying the notification deadlines.
For these reasons, the proposed rule may seem superfluous on its face. However, the agencies noted that: “These processes are not uniform or consistent between institutions and have not always resulted in timely notification being provided to the applicable regulator, which is why the agencies are issuing this proposal.” The agencies contend that one of the added benefits of earlier notification will be to help determine whether the incident is isolated or is one of several incidents that might represent a coordinated attack on the financial system. 86 Fed. Reg. 2304.
Reasons to Submit Comments
The agencies are not only requesting comments about the proposed rule in general, they have also asked for comment on 16 specific areas including: the new definitions described above; the 36-hour time period; the good-faith belief requirement; and the manner by which notifications are delivered. A complete list of the topics for which the agencies are requesting comments may be found at 86 Fed. Reg. 2305-2306.
Because the proposed rule could serve as a model for other agencies to follow, whether in the form of their own proposed rules or in the form of supplemental guidance, similarly situated organizations who are regulated by agencies other than OCC, the Board, or FDIC, may want to submit comments on the proposed rule. Written comments are due no later than April 12, 2021.