By David J. Oberly
Given the omnipresent concern about cyber attacks targeting the banking industry, the FDIC, OCC and Federal Reserve recently published a new joint final rule establishing enhanced security incident notification requirements for banking organizations and their service providers.
The final rule is designed to improve the sharing of information about cyber incidents that may impact the nation’s banking system and requires banks to notify their primary federal regulator within 36 hours of determining that a “significant” computer-security incident has occurred. Similarly, bank service providers are now required to notify impacted bank customers as soon as possible of any incident that could materially impact their operations for four hours or more.
The deadline for compliance with the new notification requirements is May 1. Here is a breakdown of these new notification requirements:
Financial institutions
Notification events. For covered banking organizations, the new notification requirements are triggered in the event a bank experiences a “notification incident,” defined as a security event resulting in actual harm to the confidentiality, integrity or availability of the bank’s information system or the information that the system processes, stores or transmits and which has—or is reasonably likely to—disrupt or degrade its: ability to carry out banking operations or deliver banking products or services to a material portion of its customers; business lines which, upon failure, would result in a material loss of revenue or franchise value; or operations which, upon failure or discontinuance, would pose a threat to the financial stability of the nation.
Notification obligations. In the event of a notification incident, banking organizations are required to notify the appropriate agency or agency-designated point of contact of the incident, which can be accomplished through email, telephone or similar methods prescribed by the agencies. The bank must provide its notice no later than 36 hours after a determination has been made that a notification incident has occurred.
Service providers
Notification events. For service providers, the new notification requirements are triggered when a service provider experiences an incident resulting in actual harm to the confidentiality, integrity or availability of the service provider’s information system or the information that the system processes, stores or transmits and which has—or is reasonably likely to—disrupt or degrade the services it provides for a period of four or more hours.
Notification obligations. In the event of a triggering security incident, service providers are required to provide notice of the incident to at least one bank-designated point of contact at each affected bank customer. In the event no bank-designated point of contact has been supplied to the service provider, notification must be made to the bank’s CEO and CIO or two individuals of comparable responsibility and can be accomplished “through any reasonable means.”
In terms of timing, service providers are only required to supply the requisite notice “as soon as possible” after a determination has been made that a triggering security incident has occurred. The 36-hour time limitation imposed on banks does not, however, extend to service providers.
Practical compliance tips
Security incident notification is not a new concept, especially for the already heavily regulated banking sector. With that said, the more aggressive notification requirements set forth in the final rule may require banks and their service providers to make certain modifications to their current security incident policies, procedures and protocols to align them with these new, unique notice requirements. In particular, banks and their service providers should consider taking the following actions well in advance of the May 1, 2022, compliance deadline:
Security incident detection. Ensure that the appropriate practices and protocols are in place to effectively detect any potential security incidents. These practices should also provide the capability to rapidly determine whether any such incident rises to the level of triggering notice under the final rule.
Incident response notification. Update all security incident response plans to ensure the ability to provide notification to any applicable regulatory agencies (in the case of banks) or banking customers (in the case of service providers) within the time limitations prescribed by the final rule. This should include the implementation of clear, easy-to-understand protocols to facilitate notification in a timely manner, as well as up-to-date contact information for all designated points of contact that must receive notice in the event of a triggering security incident.
Service provider contacts. Review all service provider contracts to ensure they address security incident notification requirements in a manner that is consistent with the final rule. Incorporating these new obligations is especially important in light of the obligation imposed on service providers to escalate security incidents to a bank customer’s CEO and CIO in the event that no bank-designated contacts have been given to the service provider. At the same time, service providers must also remember that compliance with the final rule is required even where their contractual obligations conflict with the new notification mandates.
Other intersecting breach notice obligations. Lastly, keep in mind that the notification requirements under the final rule likely diverge from banks’ and service providers’ other existing breach notification obligations. This is because the final rule focuses on security incidents themselves that may impair or otherwise harm operations (that is, the operational impact of security incidents), while other breach notice regimes focus on unauthorized access to personal information (that is, the compromise of personal information associated with a security incident).
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s privacy, security and data protection, biometric privacy and privacy class action litigation groups. He can be reached at [email protected].