Written by: Dan Poucher
In the wake of increasingly targeted, scaled, and damaging cyberattacks (ransomware, denial of service, phishing, etc.) on the financial services industry, the regulatory agencies have deemed it critical that a banking entity’s primary federal regulator be notified rapidly of a significant computer security incident. Computer-security incidents that threaten the entity’s operations, resulting in a direct delay in service or the inability to service the entity’s customers or members, require prompt notification. It is vital that regulatory agencies are made aware of new or emerging threats to the financial services landscape of the United States.
In November 2021, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) jointly published “The Final Rule” to establish “computer-security incident” notification requirements for banking entities. The Final Rule defines a “computer-security incident” as an incident resulting in damage to the “confidentiality, integrity, or availability of an information system, including the information processed, stored, or transmitted by an entity’s network.”[1] The rule will require banking entities to notify their primary regulator within 36 hours of when the incident reaches the status of a “notification incident.” This is defined as an “incident that threatens or results in the disruption or loss to normal banking operations, regular provided services, business functions or access to critical technologies.”[2] The Final Rule includes notification requirements between the banking entity and their regulator(s). If the entity expects the computer-security incident to effect normal banking operation for more than four hours, customers/members should also be notified.
Federal Regulatory Body Notification Requirements
Banking entity definitions can differ dependent on which regulatory body the entity is overseen by. All banking entities regulated by the bodies below will be required to be compliant with the Final Rule:
- FDIC supervised institutions such as state savings associations, insured state nonmember banks, insured state-licensed branches of foreign banks
- OCC supervised banking organizations including national banks, federal savings associations, federal branches, and agencies of foreign banks
- Federal Reserve Banking organizations refer to U.S. bank holding companies, U.S. savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and edge or agreement corporations.
- Bank service provider includes bank service companies or other people that perform covered services provided
Separately, the Final Rule requires banking entities noted above to notify at least one bank-designated point of contact to issue this notification. If the banking entity has not yet established and documented a designated point of contact, the notification must be made to the banking entity’s Chief Executive Officer (CEO) and Chief Information Officer (CIO) or to two individuals of equivalent responsibilities. The Final Rule has gone into effect as of April 1, 2022, and all banking entities must be compliant by May 1, 2022.
How to Become Compliant
Banking entities should use this new rule as an opportunity to review their incident response plans for adequacy and compliance. It is critical to update all relevant documentation when new requirements arise to ensure the lack of any financial penalties during an incident. Existing policies and procedures throughout the plan(s) should ensure that the new stipulations have been incorporated and that the changes still ensure an effective response to a cyberattack. Understanding stipulations in cyber insurance coverage is also critical. It is important for decision makers to understand when to notify cyber insurance companies and how involved the services provided under the coverage will be in the collective response efforts. Banking entities should consider conducting awareness training and tabletop exercises to ensure personnel are familiar and comfortable with response efforts during an incident. In addition, thorough maintenance should be performed on the incident response plan annually to capture any critical changes, including any infrastructure, security, operational, or regulatory changes that, if not incorporated, could result in a high impact to the entity’s assets or reputation.
Read the full “Final Rule” release here:
occ.treas.gov/news-issuances/news-releases/2021/nr-ia-2021-119.html
fdic.gov/news/financial-institution-letters/2021/fil21074.html
[1] McDonough, Benjamin. “Computer-Security Incident Notification: Final Rule.” OCC, November 23, 2021. https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-55.html.
[2] Garrett, Treena. “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations , November 23, 2021. https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.
