New incident response regulation clarifies, but the key is materiality

‘One of the hardest parts of this rule is trying to understand where the balance is.’

By John Hintze

Banks can be adversely affected by a wide variety of incidents, from ever-more sophisticated cyberattacks to more traditional power outages. The regulators’ new incident-response regulation clarifies when and how such incidents must be reported. But there are nuances that bankers and their third-party service providers hopefully will have digested and prepared for in advance of such an incident occurring.

The rule became effective May 1, so institutions are now on the compliance radar should they face an incident. A panel at the 2022 ABA Risk Management conference session discussed how the rule defines incidents, when banking institutions and their third-party vendors should respectively alert regulators and their banking customers, and how to do so.

Ann Marie Tarantino, SVP and chief compliance officer at Esquire Bank, a community bank headquartered in Jericho, New York, asked panel participants just which institutions must comply. For banks the answer is simple—all of them.

“There’s no asset-size designations,” confirmed Denyette DePierro, who was at the time VP for cybersecurity policy at American Bankers Association.

The rule defines an incident as an occurrence that results in actual harm to confidentiality, integrity or availability of information systems or information that the system processes, stores or transmits. A key consideration, said Kimberly Ford, SVP for government relations at Fiserv, a major provider of bank technology, is that the rule does not distinguish between malicious events such as cyberattacks and other types of system outages.

“It’s not looking for intent,” she added.

Finding the balance

Materiality is key for banks to decide whether to report the incident. DePierro said her discussions with bank regulators have made it clear that they want alerts when the incident is about to worsen significantly—a “Houston, we have a problem”-type incident. Meaning: when a large portion of a bank’s customers are affected and failure of that business would result in a material loss of revenue, profit or franchise value.

“The type of incident that could actually undermine the safety and soundness of your institution,” she said. For the largest banks that means any incident that could undermine the financial stability of the U.S.

Such incidents could include a system failure that requires the bank to activate disaster recovery or continuity planning, such as hacking or malware incidents affecting the bank’s network. DePierro offered an example of a small credit union that was hit by ransomware and chose to pay a $3 million ransom. “The ransomware definitely attacked its core systems, but it was paying the ransom that made it a safety and soundness event,” she said. “One of the hardest parts of this rule is trying to understand where the balance is.”

Even if it is questionable whether the incident must be reported under the new rule, a bank voluntarily reporting significant incidents can trigger additional help.

“The bank agencies want to know from a safety and soundness standpoint if there’s an element they haven’t seen before, and the bank can pull support from CISA (Cybersecurity and Infrastructure Security Agency) or other national security apparatus, which may prevent it from spreading to other institutions,” Ford said.

For third-party service providers, there are two prongs to determine compliance obligations. First is whether they provide “covered services” under the Bank Services Company Act, including check-deposit sorting and posting; computation or posting of interest and other credits or charges; preparation or mailing of checks, statements, notices and other similar items; or other clerical bookkeeping, accounting, statistical or similar functions performed for depository institutions.

The new rule does not provide an actual list, per se, to determine whether third-party services providers are impacted, so Ford suggested several questions to determine whether they are in scope. Those questions include whether the third party is a core or critical service provider; if the bank notified its primary federal regulator of the third-party relationship when it signed the service contract; or if the failure or disruption of the service would cause a notification incident.

The rule does not require banks to reach out to service providers about whether they are scope of the rule, but it is a good opportunity for banks to connect with them, DePierro said.

Vendors’ second prong to determine how to proceed, Ford said, is whether an incident materially disrupts or degrades services for four or more hours.

“That’s really the determining factor whether the service provider is going to notify the financial institution,” Ford said, adding the rule doesn’t draw a clear line for when exactly the service provider should notify its bank customers, so it is probably a good idea to notify the bank or banks as soon as it becomes clear the incident could last for four or more hours.

“There’s some subjectivity here that also exists on the bank side,” she said, emphasizing that materiality is a key issue for vendors as well. Hence a minor outage impacting only a few bank customers probably is not covered by the rule, she said, adding that agency staff changed the rule language from incidents causing “potential” harm to “actual” harm, thus narrowing the instances when third parties must notify bank customers.

“[The change] served to reduce the number of notifications to the institutions that were actually impacted,” and that helps the vendor “manage” alarm rising among its customers, Ford said.

Format and time

A plus for banking institutions impacted by the rule is that regulators are not looking for notifications comprising detailed analysis.

“What’s really important here is that there’s no required format,” DePierro said. “It was described to me as a couple of sentences … really just to give notice that ‘Something has gone sideways and we might need some help.’”

The rule gives banks a “reasonable amount of time” to make that determination—potentially a long tail—before actually alerting federal agencies, DePierro said. “Because you may want to bring in forensics or other experts, and consult with your board about making the notification.”

DePierro added that notices can be rescinded after a few days if the bank realizes the incident was not as bad as it thought.

In terms of whether to escalate a notification from a third-party to a reportable incident to regulators, DePierro said that if the bank did not realize an incident was occurring until informed by a third party, then it probably does not rise under the rule to the level of having to notify the regulators. If the incident evolves, banks will have that reasonable amount of time to determine whether a notification is appropriate.

“For the most part, if the bank doesn’t know something has happened in its system and there’s no disruption or degradation, and it receives a notice from a third party, it probably doesn’t rise to the level of a notification incident,” DePierro said. “Nevertheless, it’s good to have some processes and procedures in place to take on these notices and decide how and whether to escalate them.”

John Hintze is a frequent contributor to the ABA Banking Journal and its digital channel ABA Risk and Compliance.