Publication

Federal Financial Regulators Propose Rule Accelerating Cyber Threat Reporting Requirements

Jan 13, 2021

By James P. Melendres and Diamond Zambrano1

In December 2020, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) issued a Notice of Proposed Rulemaking (the Proposal) that would require bank organizations and their service providers to notify federal financial regulators just 36 hours after experiencing cyber threats and other computer-security incidents.2

The Proposal, if adopted, would likely bring about significant changes for bank organizations and their service providers. Current federal notification requirements are limited in scope, recommending notification only for incidents involving unauthorized access to, or use of, sensitive customer information.3 The Proposal expands notification requirements to include incidents that disrupt a banking organization’s operations even if the incident does not compromise sensitive customer information.4

Compared to current federal and state regulations, the Proposal gives banking organizations significantly less time—36 hours—to notify regulators of an incident.5 Current federal regulations and guidance only recommend covered bank organizations report incidents to their primary federal regulator “as soon as possible” after learning of the incident.6 Furthermore, the New York Department of Financial Services (NYDFS) requires covered entities to report data breaches within 72 hours of their discovery.7

Notably, not every computer-security incident would require a banking organization to notify its primary federal regulator.8 Only significant computer-security incidents—referred to as notification incidents—would trigger the notice requirement.9 Indeed, federal financial regulators predict that not all computer-security incidents will meet the high notification incident threshold. For example, a computer-security incident, such as a limited distributed denial of service attack that is promptly and successfully managed by a banking organization, would not require notice to an appropriate agency.10 However, a large-scale distributed denial of service attack that disrupts customer account access for more than four hours would require notification.11

This client update provides a summary of the Proposal’s key provisions.

Covered Entities

  • Banking organizations include national banks, federal savings associations, and federal branches and agencies regulated by the OCC; U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations; Edge and agreement corporations regulated by the Board; insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations regulated by FDIC.12
  • Bank service providers include any bank service provider or third-party providing services to a banking organization that is subject to the Bank Service Company Act (BSCA).13

Notification Requirements

The Proposal sets out two different notification requirements for banking organizations and bank service providers.

  • Banking Organizations – A banking organization must notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” within 36 hours.14 This 36-hour period would toll after a banking organization makes a good faith belief that a computer-security incident meets the “notification incident” threshold.15

    A computer-security incident is any occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.16

    A notification incident is a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impact its: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business lines, including associated operations, services functions and support, and would result in a material loss of revenue, profit, or franchise value; and (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.17

    Notably, notification incidents are not limited to malicious cyber-related interruptions, such as a coordinated denial of service and ransomware attacks.18 Significant operational interruptions, like major-computer system failures, also qualify as notification incidents. Examples of notification incidents provided under the Proposal include:

  1. A failed system upgrade or change that results in widespread user outages for customers and bank employees;
  2. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
  3. A computer hacking incident that disables banking operations for an extended period;
  4. A ransom malware attack that encrypts a core banking system or back-up data;
  5. Malware propagating on a banking organization’s network that requires the banking organization to disengage all internet-based network connections.19
  • Bank Service Providers – A bank service provider must notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.20
     

    Under the Proposal, bank service providers would not be required to assess whether a computer-security incident meets the notification incident threshold or alert financial regulators.21 Rather, after a bank service provider notifies relevant banking organization customers, the banking organization would be responsible for making the notification incident assessment and alerting financial regulators.22

Notification Content 

  • Banking OrganizationsUnder the Proposal, a banking organization’s notification to its primary federal regulators would not need to include an incident assessment.23 The notification’s purpose is to serve as an early alert for federal regulators.24 Accordingly, the Agencies only expect banking organizations to provide general information about the incident.25 Furthermore, the Proposal does not propose specific reporting methods or mechanisms.26 Instead, Agencies expect banking organizations to provide notice through any form of written or oral communication to a point of contact designated by the primary federal regulator.27
  • Bank Service Providers – Like the notification requirements for banking organizations, bank service providers need only provide banking organizations with general information about the incident.28 Thus, an assessment of the incident is not required. If a service provider fails to comply with the notification requirement, regulators will take direct action against the bank service provider—not the affected banking organization.29

Bank and Non-Bank Subsidiary Guidance

The Proposal would also affect a banking organization’s subsidiaries.30 If a bank subsidiary of a covered banking organization experiences a notification incident, the subsidiary would have to take two steps to comply with the Proposal: (1) notify its primary federal regulator and (2) notify its parent banking organization “as soon as possible” after the notification incident occurs.31 The parent banking organization would then assess whether it has experienced a notification incident and notify its primary federal regulator.32

A non-bank subsidiary of a banking organization would only be required to notify the parent banking organization.33 The parent would then be required to assess whether the incident rises to the level of a notification incident and notify its primary federal regulator.34

Conclusion

Banking organizations and bank service providers should monitor the Proposal as it moves through the rulemaking process. The Agencies are currently inviting comments on the Proposal until April 12, 2021. If the Proposal is adopted, covered banking organizations should identify computer security incidents that would trigger the notification requirement. Additionally, bank service providers may wish to review existing agreements with banking organization customers and prepare and update incident response plans and information security policies to ensure existing notification procedures comply with the Proposal.   

Footnotes

  1. Diamond Zambrano is a 2020 graduate of the Duke University School of Law and her admission to practice law is presently pending.

  2. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2299, 2299–311 (Jan. 12, 2021).

  3. Id. at 2301–02.

  4. Id. at 2301–02.

  5. See id. at 2301.

  6. Id.

  7. See 23 NYCRR § 500.17(a).

  8. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. at 2302.

  9. Id. at 2304.

  10. Id. at 2302.

  11. Id.

  12. Id. at 2302.

  13. Id. at 2392  (These services include check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution).

  14. Id. at 2302.

  15. Id.

  16. Id.

  17. Id.

  18. Id.

  19. Id.

  20. Id.

  21. Id. at 2303.

  22. Id.

  23. Id. at 2303.

  24. Id.

  25. Id.

  26. Id.

  27. Id.

  28. Id.

  29. Id.

  30. Id. at 2303.

  31. Id.

  32. Id.

  33. Id.

  34. Id.

Back to top

About Snell & Wilmer

Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.

©2024 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.
Media Contact

Olivia Nguyen-Quang

Associate Director of Communications
media@swlaw.com 714.427.7490