-- By Peter Marta, Tim Tobin, Jasmeet Ahuja, and Jake Nevola of Hogan Lovells.
On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule), which would create accelerated notification obligations for banking organizations and bank service providers in the event of a “‘computer-security incident’ that rises to the level of a ‘notification incident.’” Importantly, the Proposed Rule focuses on security events that disrupt financial institutions’ operations and not just security events that impact sensitive customer information, some of which would not be covered by the Proposed Rule.
The Proposed Rule would require a “banking organization” to notify its primary regulator no later than 36 hours after reasonably determining that a qualifying incident has occurred, and it would require a “bank service provider” (both terms defined below) to notify a banking organization immediately upon detecting that an incident materially impacting such organization has occurred. If the Proposed Rule is enacted, banking organizations and their service providers may want to consider updating their incident response plans and vendor risk management programs to address its new reporting requirements. Comments are due by April 12, 2021, 90 days from publication in the Federal Register.
Who Would Be Impacted?
The Proposed Rule would apply to:
1. “Banking organizations,” which are defined as:
a. For the OCC, national banks, federal savings associations, and federal branches and agencies;
b. For the Board, all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; Edge and agreement corporations; and
c. For the FDIC, all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations
2. “Bank service providers,” which the Proposed Rule defines as “a bank service company or other person providing services to a banking organization that is subject to the Bank Service Company Act.”
What are the proposed new obligations?
The Proposed Rule would require banking organizations to notify their primary federal regulator of certain computer-security incidents – i.e., those that qualify as a “notification incident” under the Proposed Rule – “as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.”
The Proposed Rule defines a “computer-security incident” as “an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
A notification incident is “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair:
- The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
The Proposed Rule provides several examples of what the regulators would expect to be computer-security incidents rising to the level of a notification incident. They include, but would not necessarily be limited to: (i) large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours); (ii) widespread system outages with undeterminable recovery times at a bank service provider used by a banking organization for its core banking platform and applications; (iii) failed system upgrades or changes that results in widespread user outages for customers and bank employees; (iv) unrecoverable system failures that result in activation of a banking organization’s business continuity or disaster recovery plan; (v) computer hacking incidents that disable banking operations for an extended period of time; (vi) malware propagating on a banking organization’s network that requires the banking organization to disengage all Internet-based network connections; and (vii) ransom malware attacks that encrypt a core banking system or backup data.
Bank Service Providers
In recognition that banking organizations are increasingly reliant on third party IT service providers, and that those service providers are themselves vulnerable to cyber attacks, the Proposed Rule would also require bank service providers to “notify [an] affected banking organization customer immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair the provision of services” it provides to the banking organization subject to the Bank Service Company Act (BSCA) (emphasis added).
The Proposed Rule would require bank service providers to notify “at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to [the BSCA] for four or more hours.”
The practical impact that the Proposed Rule would have on banking organizations is unclear. In the NPRM, the federal regulators argue that the Proposed Rule would not be likely to “add significant burden on banking organizations” because their incident response plans and policies already include protocols for notifying their prudential regulators. In our experience, financial sector regulators’ expectations have evolved over time such that they already increasingly expect banking organizations – especially the largest U.S. financial institutions – to notify them of cyber-related incidents promptly, and many of them do so. However, as noted in the NPRM, not all banking organizations have altered their incident notification protocols in response to these evolving expectations. As a result, in some cases timely notification has not been provided to those organizations’ primary regulator, “which is why the agencies are issuing the [Proposed Rule].”
The Proposed Rule explicitly distinguishes the new proposed requirements from existing notification obligations on banking organizations. For example, the Bank Secrecy Act (BSA) and its implementing regulations require certain financial institutions to file Suspicious Activity Reports (SARs) when they detect a known or suspected crime or a suspicious transaction related to money-laundering. While they play an important role in combating financial crimes, the NPRM points out that SARs “serve a different purpose” from the Proposed Rule’s notification requirement and the BSA’s 30-day reporting obligation “does not provide the agencies with sufficiently timely notice of reported incidents.” Similarly, reporting obligations under the Gramm-Leach-Bliley Act (GLBA) and its implementing guidance require financial institutions to notify their “primary federal regulator ‘as soon as possible’ if the organization becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information.” As with BSA reporting requirements, the NPRM notes that the notification obligations under GLBA serve an important purpose but its standard “is too narrow in scope to address all relevant computer-security incidents that would be covered by the [Proposed Rule].”
While acknowledging that existing reporting regimes provide regulators with “valuable insight regarding cyber-related events and information-security compromises,” the NPRM states that “existing requirements do not provide the agencies with sufficiently timely information about every notification incident that would be captured by the [Proposed Rule].” The proposed notification requirements in the Proposed Rule are “intended to serve as an early alert to a banking organization’s primary federal regulator” of cyber-related incidents. The agencies believe receiving these reports promptly is important for various reasons, including, for example, to understand quickly if multiple banking organizations are experiencing a common attack.
As stated above, the 36-hour notification requirement would only be triggered once a banking organization “believes in good faith that a notification incident has occurred.” While the 36 hour timeframe is short, at least the Proposed Rule takes the approach of starting the timeframe from when a banking organization reaches a determination that there has been a notification incident. The federal banking agencies acknowledge pragmatically that banking organizations would not “typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident.” Rather, the agencies “anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident.” From the point of that determination, the agencies maintain that 36 hours is a “reasonable” amount of time “particularly because the notice would not need to include an assessment of the incident.” In addition, the NPRM notes that the regulators “expect only that banking organizations share general information about what is known at the time” and permit them to notify “through any form of written or oral communication, including through any technological means (e.g., email or telephone), to a designated point of contact identified by the banking organization’s primary federal regulator.”
The Proposed Rule raises some concerns. Although it is helpful having the 36 hour timeframe start from the point a banking organization has determined a computer security incident has occurred, the timeframe is still shorter than under any existing law or regulation. By way of comparison, both the European Union’s General Data Protection Regulation and the New York Department of Financial Services’ Cybersecurity Regulation (NYDFS Cybersecurity Regulation) require notification of certain incidents within 72 hours. In addition, the Proposed Rule would require notification of certain incidents that “could materially disrupt, degrade, or impair” banking operations (emphasis added). The “could” language may prove onerous in many situations, as it may effectively negate the banking organizations’ ability to make an informed and appropriate “determination” of a notice incident before triggering the 36 hour timeframe, since many minor incidents may first appear as if they “could” have a material impact even though, upon appropriate investigation, which takes time, they do not. In other words, although the agencies state their intent is to not require the timeframe to run from the point of first learning of an incident, at that point many incidents appear as if they “could” cause the disruptions triggering notice when in fact they turn out to be minor incidents. This could cause an overreporting of events.
Potential Areas for Comment
Banking organizations (and their service providers) should consider providing comments on the Proposed Rule to the agencies, including weighing in on whether existing notice regimes and practices are already sufficient. Moreover, the Proposed Rule would significantly shorten the amount of time a banking organization would have to determine the materiality of a cyber-related incident before making the decision whether it is required to notify its primary regulator. This would be a significant challenge – anyone who has lived through a major incident understands well the limited facts that are available in the early hours after detection and the difficulty of determining the extent of the impact. As a result, if the Proposed Rule is enacted without significant modification, banking organizations and their service providers would be prudent to update their incident response plans and vendor risk management programs. In particular, banking organizations will want to review their existing protocols for internal escalation of incidents so that the appropriate analysis can be conducted to determine whether the event qualifies as a “notification incident” and thus requires quick regulatory outreach. Banking organizations may also want to review the existing notification requirements in their contracts with service providers.
In addition to accelerated notification obligations to banking organizations’ prudential regulators, the Proposed Rule would impact requirements to notify state banking authorities in some cases. For example, the NYDFS Cybersecurity Regulation requires “covered entities” to notify the department “as promptly as possible but in no event later than 72 hours from a determination” that a cybersecurity incident has impacted the organization “and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body.” As a result, organizations subject to the NYDFS Cybersecurity Regulation should consider the impact of the Proposed Rule on their obligations to report certain incidents to non-federal regulators and update their policies and protocols accordingly.
In addition to the notification timeframe, the NPRM identifies a number of additional items for which banking organizations may want to comment. These include the definitions of “computer-security incident” and “notification incident,” whether the “believe in good faith” standard triggering notice is the appropriate one, and the specific examples of computer-security incidents that should or should not trigger a notification incident.
-- By Peter Marta, Tim Tobin, Jasmeet Ahuja, and Jake Nevola of Hogan Lovells.