Federal Banking Agencies Issue Long-Awaited Computer Security Incident Notice Rules

The federal banking agencies issued their long-awaited computer security incident rules (“the Rules”) on Thursday, November 18. The Rules will impose new regulatory notice obligations for banks and certain service providers regarding significant computer security incidents.

The Rules are separate and apart from the banking agencies’ respective incident response program guidance issued pursuant to the GLBA. Unlike the GLBA incident response program guidance, the Rules focus on computer security incidents (whether malicious in nature or not) that result in severe business disruptions to banks or their service providers, as opposed to unauthorized access to customer information.

The Rules (with which covered entities must comply by May 1, 2022) will require a “banking organization” to notify its primary federal regulator (i.e., the Federal Deposit Insurance Corporation (“FDIC”), Federal Reserve Board (“FRB”) or Office of the Comptroller of the Currency (“OCC”)) of a covered security incident no later than 36 hours after determining that the incident occurred. Significantly, the Rules introduce a first-of-its-kind requirement in this area in that the Rules will also directly apply to a “bank service provider” and will require such an entity to notify its affected bank customers as soon as possible after experiencing a security incident that causes four or more hours of material service disruption or degradation of the service it provides to the customer.

The following provides an overview of the Rules, as well as key takeaways for banks and their service providers.

Who Is Covered?

As noted above, the Rules will impose distinct notice obligations on “banking organizations” and their respective “bank service providers.” The Rules will apply to certain of the banking entities subject to the authority of the FDIC, FRB and OCC. In particular, the Rules will apply to:

• For the FDIC: all insured state nonmember banks, insured state-licensed branches of foreign banks and state savings associations;
• For the FRB: all U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations and Edge and agreement corporations; and
• For the OCC: national banks, federal savings associations and federal branches and agencies of foreign banks.

It is noteworthy that, unlike the GLBA incident response program guidance issued by each of the federal banking agencies, the Rules do not appear to apply to subsidiaries of the various banking organizations.

Separately, the Rules also will apply to a “bank service provider.” In this regard, the Rules define a “bank service provider” as a bank service company or other person that provides services to a banking organization that are subject to the Bank Service Company Act (“BSCA”). Such services include:

• Check and deposit sorting and posting;
• Computation and posting of interest and other credits and charges;
• Preparation and mailing of checks, statements, notices and similar items; and
• Other clerical, bookkeeping, accounting, statistical or similar functions, including data processing, internet banking and mobile banking services.

Finally, note that the Rules specifically will not apply to any financial market utility that the Financial Stability Oversight Council has designated as systemically important under 12 U.S.C. § 5436.

What Is Required?

As noted above, the Rules will impose distinct notice obligations on “banking organizations” and “bank service providers” for similar computer security incidents.

Banking Organizations: In particular, the Rules will require that a “banking organization” notify the appropriate supervisory office or point of contact at its primary federal regulator (i.e., the FDIC, FRB or OCC), as soon as possible but no later than 36 hours after determining that a “notification incident” has occurred. While the Rules do not specify the content of such a notice, the Rules do clarify that notice must be provided by e-mail, telephone or similar method that the applicable agency may prescribe.

For purposes of the Rules, a “notification incident” is a “computer security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

• ability to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
• product or service that the banking organization offers to serve its customers or support other business needs, including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or
• operations, including associated services, functions and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Moreover, the Rules define a “computer security incident” as an occurrence that results in “actual harm” to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits.

In the background information accompanying the Rules, the banking agencies provide examples of the types of computer security incidents that they believe will constitute noticeable incidents, including:

• A large-scale DDOS attack that disrupts customer account access for an extended period of time (e.g., more than four hours);
• A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
• A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
• An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
• A computer hacking incident that disables banking operations for an extended period of time;
• Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
• A ransomware attack that encrypts a core banking system or backup data.

Bank Service Providers: Because many computer security incidents that impact a bank can result from events experienced by critical vendors, the Rules also will require that a “bank service provider” notify its bank customers of certain events. In particular, the Rules will require that a “bank service provider” notify each affected “banking organization” customer as soon as possible after determining that the service provider has experienced a “computer security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the covered services that it provides to the customers for four or more hours.

The Rules clarify that a bank service provider must notify at least one bank-designated point of contact at each affected banking organization. If a bank customer has not designated a point of contact, the service provider will be required to notify the customer’s Chief Executive Officer and Chief Information Officer or two individuals of comparable responsibilities.

The Rules also clarify that a bank service provider will not be required to provide notice (pursuant to the Rules) in the event of scheduled maintenance, testing or software update that the service provider previously communicated to the bank customer.

What Are Some Key Takeaways?

It is important to emphasize that the Rules are not breach notification rules. The Rules require notice about certain security events that cause significant disruptions or impacts to a banking organization’s ability to do business or materially harm its business.

The definition of a “noticeable incident” and the examples noted above reiterate this critical point: the Rules are not about malicious attacks or events specifically, but is instead about the impact that a computer security event has, regardless of its cause. For example, a computer security event that causes a prolonged disruption to customer account access would be a noticeable event under the Rules regardless of whether the “trigger” for such an event was an employee spilling coffee on a server, a fire or flood in a data center, a natural disaster (e.g., an earthquake) or a hack, DDOS attack or ransomware event. Because the notice “trigger” under the Rules focus on the impact of an event, as distinct from the type or nature of an event, the Rules unambiguously focus only on the subset of computer security events that have the most severe impact on a banking organization, specifically those that implicate business continuity or business disruption, impair a banking organization’s ability do business or materially harm its business.

Nonetheless, it will of course be possible for a banking organization to experience an event that requires notice under the Rules, as well as notice to customers under the GLBA incident response program guidance or state data breach notification laws. For example, if a banking organization experiences a ransomware event that materially disrupts its business and in which the attacker also exfiltrates customer data before deploying the malicious payload, the banking organization may have notice obligations under not only the Rules, but also other laws. That is, while the Rules are not “traditional” data breach notification rules, the Rules may overlap with existing data breach notification laws and rules for certain incidents.

To the extent that there may be overlap, it is important to emphasize a critical distinction between the Rules and “traditional” data breach notification rules. As discussed above, the Rules will require notice within 36 hours of the determination that a “noticeable incident” has occurred. The rapid timing of this notice arguably makes sense because the Rules focus only on critical events that significantly impair the bank’s ability to do business. Nonetheless, the Rules will require a far “faster” notice than the typical state breach notification law or even other standards that have the most onerous timing requirements (e.g., the New York Department of Financial Services cybersecurity regulation and the EU’s GDPR, which each impose a 72-hour regulator notice obligation). Although the Rules do not prescribe detailed notice content and will permit a far less formal notice format (e.g., notice by phone), the 36-hour timeframe will likely present operational challenges for a banking organization in the midst of a severe event. Banking organizations should update their incident response plans accordingly.

A banking organization also will want to provide its “bank service providers” with an appropriate bank point of contact in the event that a bank service provider is required to provide notice to the banking organization. It will be critical that these notices are not “lost in the shuffle” given the time constraints on a banking organization to notify its regulators. Of course, given the Rule’s focus on severe impacts (and not, for example, simply a loss of customer information), a bank may be aware of an event even before receiving notice from its service provider because the bank may see the impact directly (e.g., if online banking is down for an extended period of time).

As noted above, the Rules are significant in that they will impose notice obligations directly on “bank service providers.” This is distinct from the “traditional” regulatory approach of imposing obligations on banks to then “flow down” or impose contractual obligations (e.g., notice) on their vendors. While it is not clear whether the authority of the federal banking agencies to impose such obligations directly on service providers will be challenged or litigated, it will be important for a company that provides services to banks to evaluate whether such services would cause the company to be considered a “bank service provider” for purposes of the Rules.

Moreover, the Rules will certainly raise the stakes for “bank service providers.” While it is likely that most bank contracts with “bank service providers” will include various notice obligations for outages and other service disruption events, such obligations are contractual (and not legal), and the timing provided for in the contracts and the Rules may not be the same. Any company that is a “bank service provider” should consider implementing a process to ensure that affected banks will be notified as required under the Rules. As a practical matter, much like the similar consideration noted above for banks, a “bank service provider” should consider clarifying, in advance, the appropriate point of contact with its bank customers. The last thing that a “bank service provider” will want during its response to a critical event will be figuring out who to notify at a bank customer.