ABA, Financial Groups Raise Concerns about Cyber Incident Notification Proposal

A new proposal by the federal banking agencies requiring that banks notify their primary regulator within 36 hours after developing a good-faith belief of a “computer-security incident” or “notification” incident could impose a significant reporting burden, ABA and three other financial trades cautioned in a letter yesterday.

The proposal defines a computer-security incident as an occurrence that results in actual or potential harm to the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. It defines a notification incident as one that could materially disrupt, degrade or impair bank operations or the delivery of bank products and services, among other things.

While the groups supported efforts to ensure clarity and consistency around the reporting of cyber incidents, they noted that as written, the proposal would require banks to report incidents that fall “well below the intended threshold of critical cybersecurity incidents.” Among other things, the groups urged the agencies to more narrowly target its definition of “notification incident” to include “only those incidents that result in ‘actual’ harm and that a banking organization ‘determines’ in good faith are ‘reasonably likely’ to cause the significant harms set forth in the rule.”

In a separate comment letter, ABA also called on regulators to: continue to acknowledge the importance of voluntary notice of cyber incidents; clearly articulate definitions, expectations and implementation around the 36-hour notification time frame; develop flexible notice options; and offer flexible adoption timelines that account for differing needs and compliance resources available to banks.