An increase in cyberattacks against financial institutions has resulted in a new notification rule that will require banks to give prompt notice of significant computer-security incidents to their regulators.  The Office of the Comptroller of the Currency (“OCC”), The Board of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), and Treasury (collectively, “Agencies”) have jointly issued a final rule (“Rule”) with an effective date this spring that requires a banking organization to notify its primary federal regulator of certain computer security incidents as quickly as possible. [1]

The Rule has two primary requirements: (1) a “banking organization” must notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible but no later than 36 hours after a determination by the banking organization that such incident has occurred, and (2) a “bank service provider” must notify at least one designated point of contact at each affected banking organization customer as soon as possible after a determination by the provider that a “computer-security incident” has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services for four or more hours.  

Who Must Report?

The first issue to address when applying the new Rule’s requirements is understanding who is required to report.  “Banking organizations” are defined in the Rule as national banks, federal savings associations, and federal branches and agencies of foreign banks for OCC-regulated entities; U.S. bank holding companies, savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge and agreement corporations for Board-regulated entities; and insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations for FDIC-regulated entities.  “Bank service provider” means a bank service company or other person that performs services that are subject to the Bank Service Company Act (“covered services”).  Designated financial market utilities are excluded from both definitions.

What Events Trigger a Reporting Requirement?

Another issue to address when applying the Rule is knowing which events trigger a required report.  For both banking organizations and bank service providers, a “computer-security incident” must occur.  The Rule defines such incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.  A banking organization, however, is not required to report every computer security incident, only those that rise to the level of a “notification incident”.  A notification incident occurs when a computer-security incident has disrupted or degraded, or is reasonably likely to disrupt or degrade, a banking organization’s (i) ability to carry out banking operations, activities or processes, or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.  Similarly, a bank service provider is required to report only those computer security incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, covered services provided to a banking organization for four or more hours.

The Rule gives examples of reportable computer security incidents, including, a large-scale cybersecurity attack that prevents customers from accessing their accounts for an extended time and a computer hacking event that shuts down banking operations for an extended time.

What About Timing and Methods of Reporting?

Others issues to address when applying the new Rule’s requirements are related to the timing, delivery, and method of the notice.  Banking organizations must notify the point of contact designated by their primary federal regulator by email, telephone or other method that the regulator has prescribed, as soon as possible but no later than 36 hours after the banking organization determines that a notification incident has occurred.  

Bank service providers must notify at least one bank-designated point of contact at every affected banking organization customer as soon as possible when the provider experiences any computer-security incident that has disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization customer for four or more hours.  A bank-designated point of contact is an email address, phone number, or any other contact previously provided to the bank service provider.  If there is no bank-designated point of contact for a banking organization, the service provider must notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.

What Can Your Bank Do Now to Be Prepared?

The Agencies have stated that the purpose of this Rule is to, among other things, raise early awareness of emerging threats to banking organizations and the financial system, and to help the Agencies respond to individual threats before they grow into a systemic problem.  The Rule’s quick reporting requirements may prove to be challenging.  In anticipation of the Rule’s effective date, banks should designate necessary points of contact and implement procedures for recognizing notification incidents within the bank, for receiving notification reports from service providers, and for assessing whether a service provider’s computer-security incident could have a material impact on the bank and trigger its own notification requirement.

For more information about this article or other legal banking issues, contact DeMarion Johnston, VBA General Counsel, at djohnston@vabankers.org. This article has been prepared for informational purposes only and is not legal advice.

[1] 12 C.F.R §§ 53, 225 and 304.  See https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank