Hardly a day goes by without news of a new cybercrime hobbling a major business.1 The grand scope of the SolarWinds hack, which went undetected for many months, underscored that even the most sophisticated technology companies (Microsoft, Cisco, and Intel) and government agencies (Treasury, Justice, and Energy) can be vulnerable to attack. These kinds of security incidents can pose grave risks to individual banks and could even undermine the banking system as a whole. To combat these threats, banks will soon be required to promptly report significant cyber incidents to their federal regulators under new rules finalized last week.
The rules were developed jointly by the Office of the Comptroller of Currency (OCC), Board of the Federal Reserve (Board), and Federal Deposit Insurance Company (FDIC).2 The rules will apply to national banks, state-chartered banks, savings and loan associations, and bank holding companies, among others, and regardless of the bank’s size.3 Compliance with the rules will be required by May 1, 2022, though they technically go into effect one month prior.
Under the rules, banks will now be required to give notice to their primary federal regulator as soon as possible, and not later than 36 hours, after determining they have suffered a “computer-security incident” that is significant enough to warrant notification. Notice isn’t required for every security incident. Rather, the focus is on the most significant kinds of events that could imperil a bank, its customers, or the banking industry.
To qualify as a reportable “computer-security incident,” there must be “actual harm” to the confidentiality, integrity, or availability of an information system or the information that system uses.4 This can include large-scale distributed denial of service (DDoS) attacks that disrupt customer account access for extended periods of time of more than four (4) hours. Or a hacking incident that disables banking operations for a similar period of time. It can also include more benign events, such as a failed system upgrade that results in widespread outages or unrecoverable system failure.5 It is not necessary that a cyber-criminal caused the problem–just that there is an impact to the confidentiality, integrity, or availability of an information system or to the information itself.
The risk must also be sufficiently grave to qualify as a “notification incident” that triggers a duty to report. This includes incidents that materially disrupt a bank’s ability to carry out banking operations or deliver products and services to a material portion of its customers. It also includes material disruption of business lines that would have a material loss of revenue or profit. And it further includes disruptions of operations that would pose a threat to the financial stability of the United States, though the agencies acknowledge this last prong will apply only to the country’s largest financial institutions. Materiality is the key. And the regulators have estimated that only about 150 events a year will meet the test for reporting, though they invite banks to err on the side of over-reporting if they are unsure if a report is required.
If a bank does encounter a reportable incident, notice must be made “as soon as possible” and no later than 36 hours after the bank has determined that a reportable incident has occurred. The agencies acknowledge that banks may not immediately be aware when such an incident has occurred. So in explaining the rules, the agencies acknowledge that banks may require a reasonable time to make such a determination. Once that determination is made, however, prompt reporting is required. The agencies believe this will allow them to monitor patterns and trends, assist banks in responding to cyber threats, and stay aware of emerging threats impacting the industry.
To help alleviate the burden of notice on banks, the rules only require a telephone call or email (or other notice as the agency may later proscribe) to the appointed contact with the bank’s primary federal regulator. And the content of the notice requires only general information known at the time. Banks are not expected to have a resolution within the 36-hour timeframe, nor to provide an assessment or analysis of the incident. Though the agencies do not guarantee confidentiality of these reports, they note that these reports are “subject to the agencies’ confidentiality rules.”
These new rules do not replace the interagency guidance in place since 2005, requiring banks to plan for and protect against unauthorized access to sensitive customer information. The rules also do not displace other requirements for notifying federal law enforcement of security events, including through the filing of Suspicious Activity Reports (SARs) or reports to the FBI as appropriate.
Because banks are increasingly outsourcing core banking functions to third parties, the rules also impose new reporting requirements on certain bank service providers when they suffer material cyber incidents. Covered bank service providers are required to notify banks when they have experienced a computer-security incident that may have a material impact on certain covered services for four (4) or more hours. Notably, the agencies made clear that this notification requirement applies regardless of any conflicting contractual provisions between the bank service provider and the bank (i.e., the bank service provider must comply with the regulation even when its contractual obligations differ from the notification requirement in the rule). Once provided with this notice, banks would then be required to make a determination whether the issue was reportable to their federal regulator.
It is unclear whether these new rules will materially change what most banks do already. The agencies even acknowledged in their rulemaking that many banks already timely notify their federal regulators when major security events like these take place. But banks can no longer delay notice to the regulators until the situation is better understood and a solution has been developed. The new regulations don’t afford banks that luxury, and bankers should update their contingency plans for cyber events to ensure notice is given within the required 36-hour period, with an appropriate follow-up after the situation is better known and the resolution plan has been identified.
1 The Carnegie Endowment for International Peace maintains a sobering “Timeline of Cyber Incidents Involving Financial Institutions” worthy of review for any unfamiliar with the risks of cyber events to the banking industry.
2 Notably absent from the rulemaking was the National Credit Union Administration (NCUA). While not subject to the new rules, credit unions are already obligated to provide notice to their regional director within 5 business days of any catastrophic act. This includes any disaster causing an interruption in vital member services that is projected to last more than two consecutive business days. Unlike the new regulations for banks, NCUA’s required notice is more elaborate and must include information about where and when the act occurred, the amount of any loss, whether any operational or mechanical deficiencies might have contributed, and what has been done to correct any deficiencies.
3 If there are multiple federally regulated entities, such as in the case of a bank and bank holding company, each is expected to make an independent determination of whether a reportable event has occurred and to report, if required, to their primary federal regulator.
4 Curiously, the regulators didn’t completely rule out the possibility that a “near miss” security incident might need to be reported, stating only that reporting would be required if the “near miss” results in actual harm to the system or information contained in it.
5 The agencies provide seven examples of situations requiring notice, but declined to provide a comprehensive list of notice situations, preferring instead to rely on the broader definitions and materiality thresholds described below.