Publication
Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
Michael Canale and Saule Kassengaliyeva
In 2019, the Federal Bureau of Investigation’s Internet Crime Complaint Center received a record number of cybercrime complaints, averaging more than 1,300 per day.[1] The December 2020 SolarWinds hack impacted more than 1,800 institutions, including multiple banking and financial services organizations. Shortly after the SolarWinds’ hack became public, the New York State Department of Financial Services (NY DFS) released Cybersecurity Requirements for Financial Services Companies mandating to report cyberattacks that may lead to material harm.[2]
A few weeks after the unveiling of the NY DFS requirements, three federal agencies proposed a similar ruling that impacts banking organizations across the US. On January 12, 2021, the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation published a joint proposal that requires banking organizations to report computer-security incidents to their primary regulator.[3]
If the rule is adopted, a banking organization would need to determine if an incident meets the criteria of a “notification incident” and, if so, notify a primary regulator within thirty-six hours of making the determination. The reporting timeline is half of the seventy-two-hour standard used by other regulators such as the NY DFS. The agencies describe a “notification incident” as a computer-security incident that “could materially disrupt, degrade, or impair—the ability of the banking organization” to deliver a normal service level to a “material portion of its customer base” and/or would result in a material financial loss or threaten the financial stability of the US banking system.[4] The proposed rule also extends the notification requirement to bank service providers, requiring them to inform two or more representatives of the affected banking organization of any events that “disrupt, degrade, and impair services … for four or more hours.” Banking organizations should evaluate their level of preparedness to comply with the proposed rule by considering the following:
Reporting capabilities
The agencies acknowledge that the existing reporting procedures are insufficient and cumbersome given the proposed reporting and timeline requirements. As a result, it is unlikely that banking organizations have an existing infrastructure to adhere to the reporting requirements. Banking organizations should assess their ability to comply with the reporting schedule and stress-test current procedures to identify and address risks that may lead to noncompliance, and review training materials and incident-response procedures.
Cross-functional collaboration
The agencies describe a computer-security incident as: “an occurrence that [i] results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or [ii] constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” Given the broad scope of the definition and the technical nature of reportable incidents, technology and compliance teams need to collaborate to proactively identify and address issues that may lead to noncompliance. Examples of such issues include the use of different incident-reporting tools, storage of information, and incident-review timelines. For example, a case when a technology team, without notifying a compliance team, handles an incident where an employee downloads malware may pose a risk of noncompliance with a new requirement.
Vendor relationships
The proposed ruling also applies to bank service providers that offer a range of services, from check and deposit sorting and posting to data processing and back-office services. The proposed rule relies on the definition provided in the Bank Service Company Act to identify the affected service providers. To meet the new reporting requirements, banking organizations should identify service providers subject to the new reporting requirements and, if necessary, amend the terms and conditions of existing contracts. At least two individuals should be designated to receive service provider notices of security incidents. The banking organization then is responsible for following its internal procedures to review and, if necessary, report the incident. Banking organizations also are encouraged to incorporate the new reporting requirements into their third-party risk management program.
Addressing ambiguity
The proposed rule includes several ambiguities about the types of incidents that should be reported. For example, banking organizations should not report instances of “a limited distributed denial of service attack that is promptly and successfully managed by a banking organization.”[5] The agencies offer limited clarifying guidance and examples for banking organizations to determine if an incident should be reported, which necessitates the implementation of a framework for organizations to ensure consistent and thoughtful reporting.
Agencies explicitly note that banking organizations are not required to perform a full assessment of the incident prior to notification. However, use of terminology such as “material loss of revenue, profit, of franchise value” creates ambiguity around the level of investigation that banking organizations are required to perform to determine whether an incident rises to the level of notification.[6] The proposed rule also does not offer clear guidance regarding the documentation that must be included in the notice and leaves it up to the bank organizations to select an appropriate written or oral method of notification.
While the agencies anticipate that the proposed rule will have only marginal impact on the banks’ operations, compliance with the new requirement may be extremely challenging. Banking organizations with weak information-sharing practices, many manual processes, and fractured operations may face a particularly difficult time adhering to the new requirement. The new rule provides no guidance on the content and the form of reporting, Therefore, banking organizations need to put in place decision-making, reporting, and recordkeeping practices to demonstrate they have made the “best effort to share general information about what is known at the time.”[7] Banking organizations should start actively planning for the new reporting mandate by evaluating their reporting capabilities, information-sharing and decision-making practices, and vendor management policies.
Note: Written comments on the proposed rule are due on April 12, 2021. The final rule may differ from the terms detailed above.
[1] Internet Crime Complaint Center, 2019 Internet Crime Report, Federal Bureau of Investigation, available at: https://pdf.ic3.gov/2019_IC3Report.pdf
[2] Eversheds Sutherland, “Cybersecurity Storm and Winds of Change: NY DFS requires all New York financial institutions to report effects of SolarWinds hack,” JD Supra (December 23, 2020), available at: https://www.jdsupra.com/legalnews/a-cybersecurity-storm-and-winds-of-50248/
[3] Comptroller of the Currency, Federal Reserve System, and Federal Deposit Insurance Corporation, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” 86 FR 2299 (January 12, 2021), available at:https://www.federalregister.gov/public-inspection/2020-28498/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank
[4] Id., p. 2302.
[5] Id., p. 2302
[6] Id., p. 2302.
[7] Id. p. 2303.