Client alert: Banking regulators approve new cybersecurity incident 36-hour notification requirement

This article was originally written by our North America colleagues for a U.S. audience. We have shared this article as our global clients providing services to the US banking industry, or with banking operations in the U.S would be in scope of the new rule. Please speak to your local office contact to further discuss any of the points raised in this article.

On November 18, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency issued a joint Final Rule to establish computer-security incident notification requirements for all FDIC-supervised institutions and their bank service providers. This rule takes effect on April 1, 2022, with full compliance required by May 1, 2022. It is estimated to impact approximately 5,000 depository institutions.

FDIC Chairman Jelena McWilliams noted that the rule “addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations.”

Key highlights:

• Banking organizations will be required to notify their appropriate primary federal regulator as soon as possible and no later than 36 hours after the banking organization determines that a computer-security incident has risen to the level of a notification incident.
• The rule defines computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
• A notification incident is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
  1. ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  3. operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
• The banking organization must provide this notification to the appropriate primary federal regulator or designated point of contact, through email, telephone, or other similar methods that the regulator may prescribe.

Examples of notification incidents under the new rule include a major computer-system failure; a cyber-related interruption, such as a ransomware attack or other malware attack, a distributed denial of service attack; or another type of significant operational interruption, which does not trigger state data breach notification laws unless there was unauthorized access or unauthorized acquisition of personal consumer information.

Bank service providers

An additional part of the rule requires bank service providers to notify their banking clients in the event it has experienced a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade covered services provided to such banking organizations. Unlike the quick 36 hour notification timeframe for banking organizations, bank service providers are required to notify the affected banking organization “as soon as possible”. Covered services are those performed by a person subject to the Bank Service Company Act. The rule allows bank service providers some flexibility to make the determination, requiring notification “as soon as possible,” rather than the proposed “immediately”.

Notice must be given to the banking organization’s designated point of contact, if previously provided, or to the bank’s chief executive officer and chief information officer or two individuals of comparable responsibilities.

Considerations

Willis Towers Watson recommends that all risk managers read the Final Rule in detail, as it provides additional commentary on the intent and thought process of the regulators in finalizing the rule. Willis Towers Watson considers the following items of note for consideration for impacted organizations:

• Review the notification requirements in contractual arrangements with bank service providers to determine, what if any, amendments should be made to comply with the final rule, which may include adding contact information for at least one designated individual within the bank to receive such notification.
• Revise incident response plans to include the evaluation of whether an incident is a ‘computer security incident’ or ‘notification incident’.
• Analyze these definitions against any cyberinsurance policy triggers so that appropriate notice is provided to carriers.
• Update incident response plans to include contact information of primary federal regulator, or as described in the final rule: “appropriate agency supervisory office or other designated agency contacts, which may include designated supervisory staff, call centers, incident response teams and other contacts to be designated by the respective agency”

Though much of the ambiguity and challenges presented in the Notice of Proposed Rulemaking were addressed with the Final Rule, the impact to affected organizations does have potential to be material, in particular the 36-hour reporting window. Time will tell if the rule is effective in achieving its objective to promote early awareness of emerging threats to banking organizations and the broader financial system.

Author

---

Emily Lowe

Director, FINEX Cyber team North America

email Email

---

Contact

---

Sabba Manyara

Cyber Lead, Hong Kong, WTW

email Email

---