ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

New incident response regulation clarifies, but the key is materiality

December 8, 2022
Reading Time: 5 mins read
New incident response regulation clarifies, but the key is materiality

‘One of the hardest parts of this rule is trying to understand where the balance is.’

By John Hintze

Banks can be adversely affected by a wide variety of incidents, from ever-more sophisticated cyberattacks to more traditional power outages. The regulators’ new incident-response regulation clarifies when and how such incidents must be reported. But there are nuances that bankers and their third-party service providers hopefully will have digested and prepared for in advance of such an incident occurring.

The rule became effective May 1, so institutions are now on the compliance radar should they face an incident. A panel at the 2022 ABA Risk Management conference session discussed how the rule defines incidents, when banking institutions and their third-party vendors should respectively alert regulators and their banking customers, and how to do so.

rightwards arrow
View more
risk and compliance articles

Ann Marie Tarantino, SVP and chief compliance officer at Esquire Bank, a community bank headquartered in Jericho, New York, asked panel participants just which institutions must comply. For banks the answer is simple—all of them.

“There’s no asset-size designations,” confirmed Denyette DePierro, who was at the time VP for cybersecurity policy at American Bankers Association.

The rule defines an incident as an occurrence that results in actual harm to confidentiality, integrity or availability of information systems or information that the system processes, stores or transmits. A key consideration, said Kimberly Ford, SVP for government relations at Fiserv, a major provider of bank technology, is that the rule does not distinguish between malicious events such as cyberattacks and other types of system outages.

“It’s not looking for intent,” she added.

Finding the balance

Materiality is key for banks to decide whether to report the incident. DePierro said her discussions with bank regulators have made it clear that they want alerts when the incident is about to worsen significantly—a “Houston, we have a problem”-type incident. Meaning: when a large portion of a bank’s customers are affected and failure of that business would result in a material loss of revenue, profit or franchise value.

“The type of incident that could actually undermine the safety and soundness of your institution,” she said. For the largest banks that means any incident that could undermine the financial stability of the U.S.

Such incidents could include a system failure that requires the bank to activate disaster recovery or continuity planning, such as hacking or malware incidents affecting the bank’s network. DePierro offered an example of a small credit union that was hit by ransomware and chose to pay a $3 million ransom. “The ransomware definitely attacked its core systems, but it was paying the ransom that made it a safety and soundness event,” she said. “One of the hardest parts of this rule is trying to understand where the balance is.”

Even if it is questionable whether the incident must be reported under the new rule, a bank voluntarily reporting significant incidents can trigger additional help.

“The bank agencies want to know from a safety and soundness standpoint if there’s an element they haven’t seen before, and the bank can pull support from CISA (Cybersecurity and Infrastructure Security Agency) or other national security apparatus, which may prevent it from spreading to other institutions,” Ford said.

For third-party service providers, there are two prongs to determine compliance obligations. First is whether they provide “covered services” under the Bank Services Company Act, including check-deposit sorting and posting; computation or posting of interest and other credits or charges; preparation or mailing of checks, statements, notices and other similar items; or other clerical bookkeeping, accounting, statistical or similar functions performed for depository institutions.

The new rule does not provide an actual list, per se, to determine whether third-party services providers are impacted, so Ford suggested several questions to determine whether they are in scope. Those questions include whether the third party is a core or critical service provider; if the bank notified its primary federal regulator of the third-party relationship when it signed the service contract; or if the failure or disruption of the service would cause a notification incident.

The rule does not require banks to reach out to service providers about whether they are scope of the rule, but it is a good opportunity for banks to connect with them, DePierro said.

Vendors’ second prong to determine how to proceed, Ford said, is whether an incident materially disrupts or degrades services for four or more hours.

“That’s really the determining factor whether the service provider is going to notify the financial institution,” Ford said, adding the rule doesn’t draw a clear line for when exactly the service provider should notify its bank customers, so it is probably a good idea to notify the bank or banks as soon as it becomes clear the incident could last for four or more hours.

“There’s some subjectivity here that also exists on the bank side,” she said, emphasizing that materiality is a key issue for vendors as well. Hence a minor outage impacting only a few bank customers probably is not covered by the rule, she said, adding that agency staff changed the rule language from incidents causing “potential” harm to “actual” harm, thus narrowing the instances when third parties must notify bank customers.

“[The change] served to reduce the number of notifications to the institutions that were actually impacted,” and that helps the vendor “manage” alarm rising among its customers, Ford said.

ADVERTISEMENT

Format and time

A plus for banking institutions impacted by the rule is that regulators are not looking for notifications comprising detailed analysis.

“What’s really important here is that there’s no required format,” DePierro said. “It was described to me as a couple of sentences … really just to give notice that ‘Something has gone sideways and we might need some help.’”

The rule gives banks a “reasonable amount of time” to make that determination—potentially a long tail—before actually alerting federal agencies, DePierro said. “Because you may want to bring in forensics or other experts, and consult with your board about making the notification.”

DePierro added that notices can be rescinded after a few days if the bank realizes the incident was not as bad as it thought.

In terms of whether to escalate a notification from a third-party to a reportable incident to regulators, DePierro said that if the bank did not realize an incident was occurring until informed by a third party, then it probably does not rise under the rule to the level of having to notify the regulators. If the incident evolves, banks will have that reasonable amount of time to determine whether a notification is appropriate.

“For the most part, if the bank doesn’t know something has happened in its system and there’s no disruption or degradation, and it receives a notice from a third party, it probably doesn’t rise to the level of a notification incident,” DePierro said. “Nevertheless, it’s good to have some processes and procedures in place to take on these notices and decide how and whether to escalate them.”

John Hintze is a frequent contributor to the ABA Banking Journal and its digital channel ABA Risk and Compliance.

Tags: Cyber crimeRansomwareReportingThird-party risk
ShareTweetPin

Related Posts

ABA, associations urge lawmakers to finalize deal on debt ceiling

House passes bills on stablecoins, digital assets, CBDCs

Cybersecurity
July 17, 2025

The House voted in favor of two bills to create a regulatory framework for payment stablecoins and digital assets. House members also voted in favor of a separate bill to ban the Federal Reserve from issuing a CBDC.

The future of careers in risk and compliance

The future of careers in risk and compliance

ABA Banking Journal Podcast
July 17, 2025

What does the future hold for bank risk and compliance professionals? Krysti Cunningham discusses the technological transformation in risk and compliance at community and midsize banks and applications for AI tools and LLMs in risk and compliance.

BIS: Stablecoins fail as ‘sound money’

ABA urges lawmakers to include safeguards in stablecoin bill

Compliance and Risk
July 17, 2025

A durable regulatory framework for stablecoins must balance the potential for enhancing payments with the need to limit negative economic consequences, promote financial stability and guard against consumer protection risks, ABA President and CEO Rob Nichols said in...

ABA urges FCC to combat illegal call spoofing

ABA urges FCC to impose call authentication requirement for non-IP networks, mandate IP transition

Compliance and Risk
July 16, 2025

ABA joined six trade associations in urging the FCC to adopt a proposal to create a new call authentication requirement designed to limit criminal access to the U.S. calling network.

ABA faults banking regulators for confusing CRA rule rollout

Banking agencies propose to rescind Community Reinvestment Act rule

Community Banking
July 16, 2025

The Federal Reserve, FDIC and OCC issued a joint proposal to rescind the Community Reinvestment Act final rule adopted in 2023.

CFPB releases mortgage servicing proposal, overhauls loss mitigation framework

FHFA releases FAQ about Fannie, Freddie credit score change

Compliance and Risk
July 16, 2025

FHFA released an FAQ on the recent announcement that Fannie Mae and Freddie Mac will expand credit scoring options. Fannie and Freddie have also created webpages about the planned implementation of the policy.

NEWSBYTES

House passes bills on stablecoins, digital assets, CBDCs

July 17, 2025

Business inventories hold steady in May

July 17, 2025

Mortgage rates rise

July 17, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

The future of careers in risk and compliance

July 17, 2025

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.