Agencies Propose Rule Regarding Timely Notification of Cyber Attacks

A new proposed rule by the federal banking agencies would require banks to notify their primary regulator within 36 hours of becoming aware that a “computer-security incident” or “notification incident” has occurred. The rule would also require bank service providers to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”

The rule defines a computer-security incident as an occurrence that results in actual or potential harm to the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. A notification incident is defined as one that could materially disrupt, degrade or impair bank operations or the delivery of bank products and services, among other things. The notice requirement is intended to signal the occurrence of a significant material event; based on a review of FinCEN reports, the banking agencies anticipate that incidences of this type (such as ransomware, Trojan malware, zero day attack, etc.) occur approximately 150 times annually across the aggregate financial services industry.

Under the proposed rule, banks would be required to notify their regulator “as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.” The agencies added that the requirement “is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident.” The FDIC board approved the NPR today and comments will be due 90 days after publication in the Federal Register.