Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: Federal bank regulators' finalised incident notification rule reforms reporting requirements for banks and service providers

The Office of the Comptroller of the Currency ('OCC'), the Board of Governors of the Federal Reserve System ('the Board'), and the Federal Deposit Insurance Corporation ('FDIC') announced, on 18 November 2021, the approval of a final rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system.

Nikolay Pandev / Signature collection / istockphoto.com

Introduction

The final rule approved by the OCC, the Board, and the FDIC requires banking organisations to notify their primary federal regulator of any 'computer-security incident' that rises to the level of a 'notification incident' as defined in the final rule, no later than 36 hours. Further to this, the final rule also requires bank service providers to notify each affected banking organisation customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Background

U.S. federal financial regulators have highlighted an increase in cyberattacks targeting the financial services industry. As a result, regulators believe that the final rule is a key tool to mitigate the impact of this ongoing threat by allowing agencies to, among other things,  have early awareness of threats to the broader financial system, better assess the threat that a notification poses to an organisation and to take appropriate actions to address the threat, and conduct horizontal analysis to provide targeted guidance and adjust supervisory programs.

Scope

The final rule applies to a 'bank service provider', which is defined as a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider. Furthermore, it applies to the regulation of a 'computer-security incident', which it defines as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. In addition, a 'notification incident' is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organisation's:

  • ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or  
  • operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the US.

In this respect, the final rule also details a non-exhaustive list of incidents that are generally considered 'notification incidents' including:

  • large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than four hours);
  • a bank service provider that is used by a banking organisation for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
  • a failed system upgrade or change that results in widespread user outages for customers and banking organisation employees;
  • an unrecoverable system failure that results in activation of a banking organisation's business continuity or disaster recovery plan;
  • a computer hacking incident that disables banking operations for an extended period of time;
  • malware on a banking organisation's network that poses an imminent threat to the banking organisation's core business lines or critical operations or that requires the banking organisation to disengage any compromised products or information systems that support the banking organisation's core business lines or critical operations from Internet-based network connections; and
  • a ransom malware attack that encrypts a core banking system or backup data.

Bank service provider notification

The final rule requires bank service providers to notify at least one bank-designated point of contact at each affected banking organisation customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident as defined above. If a point of contact has not been designated, this notification must be made to the Chief Executive Officer and Chief Information Officer of the banking organisation customer. Notably, the final rule does not require a bank service provider to assess whether the incident rises to the level of a notification incident for a banking organisation customer, as this remains the responsibility of the banking organisation.

When it comes to breach notification, many bank service providers are obliged to notify incidents as part of their service agreements with a bank. As such, including bank service providers was a point of contention during the consultation period of the final rule. However, the federal regulators stated that, 'the issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability, without the necessity of revising contractual provision.' Therefore, bank service providers with notification requirements in agreements must comply with the final rule.

Looking forward

All OCC, Board, and FDIC-regulated financial institutions will have limited time to prepare as the rule enters into effect on 1 April 2022 and organisations must comply by 1 May 2022. In addition, the rule highlights cybersecurity as an ongoing regulatory priority of federal supervisory authorities in the US. As such, these financial institutions should consider the requirements and provisions under the final rule in order to take appropriate measures to ensure timely compliance.

Edidiong Udoh, Privacy Analyst
[email protected]