Rule requires banks report significant ‘computer-security incidents’ within 36 hours

The Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corp. (FDIC) approved the policy, which also requires service providers for financial institutions to notify affected bank customers of any service outage caused by a computer-security incident that lasts longer than four hours.

The rule is effective April 1, 2022, and compliance is required by May 1, 2022.

A computer-security incident is described in the rule as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” Such incidents can be caused by a variety of factors, including cyberattacks launched by hackers with “destructive malware or malicious software” as well as “non-malicious failure of hardware and software, personnel errors, and other causes.”

A “notification incident” is defined in the rule as a computer-security incident “that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations; result[s] in customers being unable to access their deposit and other accounts; or impact[s] the stability of the financial sector.”

The rule requires any bank services provider subject to the Bank Service Company Act (BSCA) to notify at least two individuals within the affected banking organization of a computer-security incident that it “believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.” The bank organization would then determine if the incident rises to the level of a notification incident and inform its regulators if that is the case.

“The notification requirement for bank service providers is important because banking organizations have become increasingly reliant on third parties to provide essential services,” the rule said. “… [A] banking organization needs to receive prompt notification of computer-security incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, these services because prompt notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact and trigger its own notification requirement.”

The idea behind the rule, according to the regulators, is to “help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic.”

Other regulations, like the New York State Department of Financial Services’ cybersecurity event notification requirement or the EU’s General Data Protection Regulation (GDPR), require regulated entities to report cyber-related incidents within 72 hours. After some commenters on the computer-security incident rule complained 36 hours was too short a window for many institutions to comply, the banking regulators responded by narrowing the definition of a notification incident as serious enough to be material to the company’s operation. They also discarded language originally included in the rule about violations of policies and procedures that contributed to a computer-security incident.

In California, businesses must report data breaches affecting more than 500 state residents to the state attorney general but are not required to report other types of cybersecurity incidents. California residents can also sue businesses in state courts for failing to protect their personal information under a provision of the California Consumer Protection Act (CCPA).