Federal Banking Agencies Propose Cybersecurity-Incident Notification Rule for Banks and Their Third-Party Service Providers
On December 15, 2020, the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Agencies) issued a proposed rule (Proposed Rule) that would impose new notification requirements for significant cybersecurity incidents. If adopted without substantial change, the Proposed Rule would require banking organizations to notify their primary federal regulator promptly, and not later than 36 hours after, the discovery of such incidents, termed "computer-security incidents" that are "notification incidents."
The Proposed Rule would add to banking organizations' existing statutory and regulatory obligations for notification of security incidents, including those prescribed under the Interagency Guidelines Establishing Information Security Standards,1 the Bank Secrecy Act (BSA) and regulations and guidance promulgated thereunder, and state data security breach notification laws and regulations. The existing requirements generally mandate reporting of data security breaches involving sensitive information either to the Agencies or another governmental agency with jurisdiction over the reporting institution. The Agencies consider these existing rules to be insufficient from a supervisory perspective, and believe the Proposed Rule will fill an important gap by requiring prompt notification that could help protect the safety and soundness of banking organizations and, in more severe cases, the stability of the financial system.
The Agencies are inviting comments on the Proposed Rule, which must be submitted within 90 days from the date that the Proposed Rule is published in the Federal Register.
In describing the purpose of the Proposed Rule, the Agencies highlight the substantial volume of cybersecurity threats facing banks and the increased reliance by banks upon third-party service providers for the performance of essential technology-related functions, including those involving access to and handling and storage of banks' sensitive data and providing support to critical information systems. According to the Agencies, the Proposed Rule would help counteract these threats by requiring banking organizations to provide their primary regulators with "early alerts" of cybersecurity incidents even before the organizations are in a position to provide detailed assessments of such incidents. This would help the Agencies to more quickly and effectively understand the potential impact of a particular incident and the actions that may be required to protect affected organizations and the financial system as a whole.
Of note, the Proposed Rule is similar in certain respects to the cybersecurity reporting requirements implemented in 2017 by the New York State Department of Financial Services (NYDFS) that apply to NYDFS-licensed banks, insurance companies and producers and other financial services firms (Part 500). Part 500, which was branded at the time of its adoption as a "first-in-the-nation" cybersecurity regulation, requires covered institutions to notify the NYDFS within 72 hours after determining a cybersecurity event either has (i) impacted the institution and requires notice to any government body, self-regulatory agency or any supervisory body; or (ii) a reasonable likelihood of materially harming any material part of the normal operations of the institution. To comply with the Part 500 reporting requirements, many NYDFS-licensed institutions had to adjust their cybersecurity incident reporting policies and procedures, including by revising vendor agreements and vendor risk management programs to ensure timely notification by their vendors of events that could adversely impact the licensed institutions.
Scope of the Proposed Rule
The Proposed Rule applies to "banking organizations" as defined under the respective regulations of the three issuing banking agencies, i.e.: (i) national banks, federal savings associations, and federal branches and agencies under the OCC regulations; (ii) all US bank holding companies and savings and loan holding companies, state member banks, the US operations of foreign banking organizations, and Edge and agreement corporations under the FRB regulations; and (iii) all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations under the FDIC regulations. In addition, bank service providers and companies or persons providing services subject to the Bank Service Company Act are subject to the Proposed Rule and would be required to notify at least two individuals at an affected banking organization "immediately" after experiencing an incident that could adversely affect those services for as much as four hours.
Computer-Security Incidents and Notification Incidents
Under the Proposed Rule, a banking organization would be required to provide notice to its primary federal regulator promptly and not later than 36 hours after determining in good faith that a "computer-security incident" arising to the level of a "notification incident" has occurred. The Proposed Rule release notes that the Agencies understand that banking organizations would be required to take a reasonable amount of time to investigate an incident in order to make a determination as to whether the incident is reportable. Accordingly, the 36-hour time period within which notice would be required would not begin until such determination has been made.
A "computer-security incident" is defined under the Proposed Rule as an event that:
- "results in actual or potential harm to the confidentiality, integrity or availability of an information system or the information the system processes, stores, or transmits; or
- constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies."
A "notification incident" is defined as a "computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair:
- the ability of the banking organization to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States."
The Proposed Rule provides an illustrative list of examples of events that would be considered "notification events," among which are large-scale distributed denial-of-service attacks that disrupt customer account access for an extended period of time, cyberattacks that disable a bank's operations or require the disengagement of its systems, and systems outages or failures for which recovery time is not determinable and/or which require activation of a bank's business continuity or disaster recovery plans.
As noted, the Proposed Rule not only requires banks to notify their primary regulators, but also requires banks' third-party service providers to notify any affected bank "immediately" after experiencing any incident that the service provider believes "in good faith could disrupt, degrade, or impair service provided by that entity to the bank for four or more hours." In addition, banking organizations are required, as applicable, to notify their parent holding companies of any "notification incident" and the parent holding companies are required to conduct a separate assessment of the incident to determine whether their primary regulator must be notified. The nonbank subsidiaries of banking organizations would not have a separate reporting obligation under the Proposed Rule; rather, the parent banking organization would be required to assess any cybersecurity incident affecting such subsidiaries and to make a determination as to whether the banking organization's primary regulator must be notified.
Requirements for Cybersecurity Incident Notices
Because a principal purpose of the Proposed Rule is to accelerate notices of cybersecurity events to the Agencies, the Proposed Rule does not prescribe any content or formatting requirements for such notices. Rather than requiring reporting institutions to provide a formal assessment of an incident, the Proposed Rule provides that institutions should share general information about what they know at the time of notice. And they can convey that information through any form of communication, whether written or oral or by any technological means (e.g., by e-mail or telephone). The notices are to be provided to a designated point of contact identified by the banking organization's primary federal regulator (e.g., an examiner-in-charge).
If the Proposed Rule is adopted without substantial modification, banking institutions and their service providers will need to update their security incident response plans and business continuity and disaster recovery plans, as well as their vendor risk management programs and oversight processes. Among other things, the regulated entities will need to prescribe protocols and procedures for proper identification and documentation of "computer-security incidents" and "notification events," internal and external communication processes (including escalation to senior management and boards of directors, coordination with third-party service providers, and processes for communicating with the Agencies), and vendor contract review and oversight processes. As effective data security becomes increasingly challenging to guarantee, the additional vigilance that compliance with the Proposed Rule would entail may serve to enhance regulated entities' existing readiness to respond to threats to computerized information systems.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.