Federal Bank Regulators Adopt New Cybersecurity Incident Notification Rule for Banks and Their Third-Party Service Providers
On November 23, 2021, the federal banking agencies—i.e., the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Agencies)—published a final rule (the Rule) that imposes new notification requirements on banking organizations and bank service providers following significant cybersecurity incidents. Under the Rule, certain banking organizations are obligated to notify their primary federal regulator promptly, and not later than 36 hours, after the discovery of a “computer-security incident” that rises to the level of a “notification incident.” as such terms are defined in the Rule. The Rule also requires certain bank service providers to notify each affected institution as soon as possible once the service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. These prompt notification requirements are intended to put the Agencies in a position to more quickly and effectively understand the potential impact of an incident as well as the actions that may be required to protect affected organizations and avert systemic problems. Moreover, as the Agencies note, these requirements will be particularly helpful in mitigating or preventing certain adverse liquidity events.
The Rule will take effect on April 1, 2022, and banking organizations and their bank service providers will then have 30 days to meet the deadline for compliance: May 1, 2022.
The Rule supplements banking organizations’ existing obligations to provide notification for security incidents under various laws and regulations, including the Interagency Guidelines Establishing Information Security Standards, the Bank Secrecy Act (BSA), and regulations and guidance promulgated thereunder, as well as state and other data breach notification laws and regulations.1 The Rule contains elements similar to the cybersecurity reporting requirements set forth under the cybersecurity regulations of the New York Department of Financial Services (NYDFS), which apply to NYDFS-licensed banks, insurance companies and producers and other financial services firms (Part 500). Part 500, which was billed at its adoption in 2017 as a “first-in-the-nation” cybersecurity regulation and remains one of the most comprehensive cybersecurity rules governing financial institutions, obligates covered institutions to notify the NYDFS within 72 hours after determining certain cybersecurity events have occurred. Financial institutions that have adjusted their cybersecurity incident reporting policies and procedures to comply with the requirements of Part 500 will be well-positioned to adapt to the new requirements imposed by the Rule.
The Agencies issued the Rule after considering comments from banking and financial sector entities, third-party service providers, industry groups, and individuals on the proposed version of the Rule issued by the Agencies in December 2020.2 In general, the commenters supported the proposal and the notion that early notification will help improve the safety and soundness of financial institutions. However, there were some criticisms and the Agencies made modifications to respond to some of them—including by narrowing the definition of “computer-security incident” to focus on actual, rather than potential, harm to information and systems, and replacing the “good faith belief” standard that a notification incident occurred with a “determination” that such had occurred standard.
The Rule applies to “banking organizations”3 as defined under the respective regulations of the Agencies. Applicable regulations exempt financial market utilities—i.e., persons managing or operating a multilateral system for purposes of certain financial transactions—designated as “systemically important” under Title VIII of the Dodd-Frank Act. Systemically important entities are those whose failure could, among other things, threaten the stability of the financial system of the United States. Given these designated market utilities—of which there are eight currently—are subject to the jurisdiction of the SEC or CFTC, this exclusion serves to not burden them with unintended duplicative regulatory obligations.
The Rule also applies to bank service providers, which includes a bank service company or other person performing “covered services.”4
Computer-Security Incidents and Notification Incidents
As noted, the Rule obligates banking organizations to provide notice to their primary federal regulator as soon as possible and no later than 36 hours after determining that a “computer-security incident” arising to the level of a “notification incident” has occurred. As the Agencies explained in issuing the Rule, this requirement will enhance their ability to facilitate requests for assistance on behalf of affected organizations so as to minimize the impact of a particular incident. For example, where an incident is one of many smaller ones occurring at multiple banking organizations, the Agencies would be better positioned to alert other banking organizations to the threat and propose measures to prevent similar incidents from recurring.
A “computer-security incident” is defined under the Rule as an event that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
A “notification incident” is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Some examples of incidents that the Regulators consider “notification incidents” under the Rule are large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, incidents that disable banking operations for an extended period of time, and unrecoverable system failures that result in the activation of a banking organization’s business continuity or disaster recovery plan. The Agencies encourage banking organizations to err on the side of caution in reporting, recognizing that banking organizations may notify “upon a mistaken determination that a notification incident has occurred.” In such instances, the Agencies note they “generally do not expect to take supervisory action.”
Bank service providers are also required to notify at least one bank-designated point of contact at an affected banking organization customer “as soon as possible” after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for as much as four hours. Receiving early notification of such incidents will help banking organizations assess the extent to which an incident may impact them and determine whether their own notification requirement has been triggered.
Requirements for Cybersecurity Incident Notices
In line with its intention to accelerate notices of cybersecurity events to Agencies, the Rule does not prescribe specific content or formatting requirements for the notices. Rather, banking organizations must provide general information about what they know of the incident via email, telephone, or other similar methods authorized by the relevant primary regulator. Bank service providers generally must notify at least one bank-designated point of contact at each banking organization customer, using an email address, phone number, or any other contact information previously provided to the service provider by the customer (or, if none was previously provided, to contact the CEO and CIO of the banking customer, or two individuals of comparable responsibilities, through “reasonable means”). These flexible notice requirements are designed to ensure regulators and banking organizations receive notification on as expedited a timeline as possible so they can move quickly to address any matters of concern.
As cyberattacks on financial institutions grow in frequency and severity, there is a corresponding need for these institutions and the agencies that regulate them to be vigilant in assessing and responding to emerging threats. As the Agencies have noted in the past, this need is particularly critical given banks’ increased reliance on third-party service providers for the performance of essential technology-related functions. And while other laws and regulations already require banking organizations to report certain computer-security incidents to their primary federal regulator, the Rule expands on the types of incidents requiring notification and has a tight notification deadline.
To comply with the Rule, financial institutions may need to update their incident response plans, internal notification policies, and risk management plans, as well as redesign and conduct anew incident response training exercises. Financial institutions that have questions or might want assistance with these or other steps to ensure compliance with the Rule may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services and Privacy, Cybersecurity and Data Strategy teams would be pleased to assist with any questions about cybersecurity compliance and enforcement more broadly.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
The Rule comes on the heels of the FTC’s recent issuance of a Notice of Proposed Rulemaking that, if adopted, would supplement non-banking financial institutions’ obligations under the recently amended Safeguards Rule, promulgated under the Gramm-Leach-Bliley Act, to require certain information security events affecting at least 1,000 customers be reported to the FTC. You can read Arnold & Porter’s Advisory on the FTC’s Notice here: FTC Amends GLBA Safeguards and Privacy Rules; Proposes New Security Incident Reporting Obligations for Financial Institutions.
You can read Arnold & Porter’s Advisory on the proposed rule here: Federal Banking Agencies Propose Cybersecurity-Incident Notification Rule for Banks and Their Third-Party Service Providers.
“Banking organizations” are defined in the Rule as (i) national banks, Federal savings associations, and federal branches and agencies under the OCC regulations; (ii) all U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and Edge and agreement corporations under the FRB regulations; and (iii) insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations under the FDIC regulations.
“Covered services” are defined in the Rule as services performed, by a person, that are subject to the Bank Service Company Act. These services include check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution. (12 U.S.C. 1863)