On November 18, 2021, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation jointly announced the approval of a final rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system. The rule applies to banking organizations, including national banks, U.S. bank holding companies, and insured state savings associations, as well as bank service providers.
Banking Organization Notification: The rule requires a banking organization to notify its primary federal regulator of any computer-security incident that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after determining that such an incident has occurred. A “notification incident” is defined as a computer-security incident that has or is reasonably likely to materially disrupt a banking organization’s: “(i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” A “computer-security incident” is defined as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores or transmits.”
The reporting requirements for banking organizations are the same as to the Federal Reserve, OCC, and FDIC and the final rule does not specify the format or content of the reporting that is required to be provided to the respective agency.
Bank Service Provider Notification: Under the final rule, bank service providers must notify affected banking organization customers “as soon as possible” when the provider determines that it has experienced a “computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.”
Notification must be made either to a bank-designated point of contact, or if there is not one, to the bank CEO and CIO or two individuals of comparable responsibilities. Bank service providers need not notify banking organization customers of any scheduled maintenance, testing, or software update previously communicated to its banking organization customers.
The rule becomes effective on April 1, 2022 and compliance is required as of May 1, 2022.
Final Rule Revised in Response to Comments
First proposed in December 2020, the agencies revised key provisions of the rule in response to comments in two ways. First, the original proposed definition of a “computer-security incident” aligned with NIST standards and included “any occurrence that results in actual or potential harm” to an information system or the information contained therein. (Emphasis added.) In response to comments the agencies narrowed that definition for the final rule to include only an occurrence that results in actual harm to an information system or the information contained within it, thus decreasing the potential regulatory burden. Second, the definition of “notification incident” was adapted to include a “reasonably likely” standard applying to whether the incident materially disrupts or degrades the banking organization or its operations, in lieu of the more expansive language that was initially proposed.
The agencies explicitly declined to exclude particular incidents, such as any incident lasting less than 48 hours, or incidents that impact certain types of computer systems, such as compromises to a bank’s marketing or personnel systems, from notification requirements. As opposed to removing incidents from the scope of notification requirement, the agencies reasoned that focusing on the material adverse effects of a computer-security incident better ensured that notification is made for the most serious incidents.