FDIC, OCC, Fed. Final rule of reservation: notification of an IT security incident

On November 18, 2021, the Office of the Comptroller of the Currency (the “OCC”), the Federal Reserve System Board of Governors (the “Board”) and the Federal Deposit Insurance Corporation (the “FDIC”) issued a rule final (the “Final Rule”) which requires any financial institution subject to their respective jurisdictions to notify its lead federal regulator of any “computer security incident” that reaches the level of a “notification incident”, like these terms are defined in the final rule, as soon as possible and no later than 36 hours after the institution determines that a notification incident has occurred.[1] The final rule also requires that a service provider at a financial institution notify each affected institution as soon as possible when the service provider determines that it has experienced a computer security incident that has caused, or is reasonably likely to cause, an incident. significant service disruption or degradation for four hours or more.

The final rule follows a proposed rule announced by the same regulators in December 2020 (the “proposed rule”) and reflects some substantial revisions to the proposed rule. Federal regulators received 35 comments from banks, service providers and consumer groups, the majority of which supported the proposed rule and the need for early notification of significant data incidents involving financial institutions. However, some interveners questioned the definitions provided under the draft rule and some of the specific notification provisions for financial institutions and service providers. The final rule is effective April 1, 2022, and compliance is required as of May 1, 2022.

For financial institutions not subject to the jurisdiction of the OCC, Board, or FDIC, note that the Federal Trade Commission (the “FTC”) is in the process of proposing changes to the safeguard rule that would require financial institutions nonbanks subject to the jurisdiction of the FTC to report certain data breaches and other security events to the FTC.

Relevant definitions

Only computer security incidents that reach the level of notification incidents should be reported to federal regulators.

The final rule defines a “computer security incident” as “an event that causes real damage to the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits. “. Note that this is more limited than the proposed rule definition, which would have included potential occurrences and occurrences that constituted a violation or an imminent threat of violation of security policies, security procedures, or acceptable use policies.

The final rule defines a “notification incident” as “an IT security incident that has materially disrupted or degraded, or is reasonably likely to significantly disrupt or degrade, the activities of a banking organization:

• Ability to carry out banking operations, activities or processes, or to provide banking products and services to a significant portion of its customers, in the ordinary course of business;

• The line of business (s), including related operations, services, functions and support, which, in the event of failure, would result in a material loss of income, profits or franchise value; Where

• Operations, including related services, functions and support, if any, the failure or interruption of which would constitute a threat to the financial stability of the United States.

Reports by financial institutions

Under the Final Rule, a financial institution must notify its lead federal regulator of a notification incident (as defined above) as soon as possible and no later than thirty-six (36) hours after the institution has determined that a notification incident has occurred. Note that this gives financial institutions half the time to report an incident than allowed by the EU’s General Data Protection Regulation or the New York Department of Financial Services cybersecurity regulations. Federal regulators believe the more onerous schedule requirement is offset by the narrow definition of “computer security incident” in the final rule compared to the proposed rule.

A financial institution may give notice in writing or orally (including by email or telephone) to the institution’s designated point of contact with the institution’s primary federal regulator. Federal regulators expect financial institutions to share background information on facts known at the time of the incident. No specific information is required in the notification other than that a notification incident has occurred. The final rule does not prescribe any form or template. Notifications, and any information related to the incident, would be subject to the regulator’s confidentiality rules.

The introduction of the final rule recognizes that a financial institution will need to undertake a reasonable investigation to determine whether a notification incident has occurred and explicitly provides that the 36 hour notification period does not begin until after the institution Financial ultimately determined that a notification incident took place.

Usefully, the final rule also recognizes that not all data incidents are reportable and provides a non-exhaustive list of events that could reach the level of a notification incident:

• Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (eg, more than 4 hours);

• A service provider used by a financial institution for its main banking platform to operate business applications experiences widespread system failures and the recovery time is indeterminable;

• A failed system upgrade or modification that results in widespread user outages for customers and employees of financial institutions;

• An unrecoverable system failure that results in the activation of a financial institution’s business continuity or disaster recovery plan;

• A hacking incident that disables banking operations for an extended period;

• Malware on a financial institution’s network that poses an imminent threat to its main lines of business or critical operations or that requires it to disengage any compromised product or information system that supports its main lines of business or critical operations of Internet network connections; and

• A ransomware malware attack that encrypts a primary banking system or backup data.

The final rule provides that affiliated financial institutions each have separate and independent reporting obligations. Each financial institution should assess whether it has experienced a notification incident that it should report to its lead federal regulator. Subsidiaries of financial institutions that are not themselves final rule financial institutions do not have notification requirements under the final rule. However, if an IT security incident were to occur at such a branch, the parent financial institution would have to assess whether the incident was a notification incident for it and, if so, it would be required to notify its regulator. main federal.

Reports by service providers

Only service providers performing services for a financial institution and who are subject to the Bank Service Company Act (the “BSCA”) are subject to the final rule. The final rule does not further define which services are subject to the BSCA. The final rule requires that a service provider notify each affected client financial institution as soon as possible after the service provider determines that it has experienced an IT security incident that has “materially disrupted or degraded, or is reasonably likely to disrupt. or materially degrade, covered services provided to a financial institution for four hours or more.

Under the final rule, a service provider may fulfill its obligation by notifying a contact designated by the financial institution or, if no contact has been appointed, by notifying the CEO and the director of the financial institution. information from the financial institution (or two people with comparable responsibilities).

The introduction of the final rule indicates that federal regulators do not anticipate that the final rule will add a significant burden to service providers, as many service providers are already subject to contractual requirements to notify financial institutions in the event of a breach. data incident.

Next steps

In light of the final rule, we recommend doing the following before the May 1, 2022 compliance deadline:

• Financial institutions and service providers subject to the final rule should review their incident response plans and other relevant policies and procedures to ensure that they will be able to meet onerous notification obligations under the final rule. . For example, these plans and policies should provide for the escalation of suspected IT security incidents to a specific person (preferably identified by title) as soon as is reasonably possible.

• Financial institutions should adopt procedures and develop relevant standards that will enable them to quickly determine whether an IT security incident reaches the level of a notification incident.

• Financial institutions should include up-to-date contact information for their primary regulators, and service providers should document appropriate points of contact for their clients specifically for the purpose of reporting IT security incidents.

• Banks need to update their service provider agreements as well as their current service provider agreements to impose notification requirements that follow the final rule.

[1] See 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC.