Comments Sought on Proposed Rulemaking: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers

On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).¹ The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC. 

Generally, if finalized, the NPR would require banking organizations and bank service providers (each, as defined further below) to provide accelerated notices of certain cybersecurity and related events. For banking organizations, notice to regulators would be required within 36 hours of a determination of the event — upending the 72-hour standard shared by several other regulatory regimes for expedited notice and requiring legal and regulatory analysis and determinations to be made during the critical earliest hours of incident response. The proposal would also broadly expand the scope of regulatory cybersecurity notification obligations, going well beyond incidents that compromise personal information. The notification obligations on service providers to report certain cybersecurity events to banking organizations require “immediate” notice of an even broader category of events. 

The preamble to the NPR explains that the agencies are operating under their authority to promote the safety and soundness of banking organizations and that the proposed notification requirements are intended to, among other things, provide an early alert to the regulators to enable them to better identify and address emerging threats that could impact multiple banking organizations or the broader financial system, share information with banking organizations, and aid in the development or improvement of existing guidance and supervisory programs. 

While recognizing that the NPR would impose new notification obligations on the covered entities, the agencies nevertheless assert that the impact and cost of this NPR, if adopted, should be de minimis, suggesting that many banking organizations and bank service providers are conducting activities that would support the proposed notification requirements. Further, the agencies refer to the standard for regulatory notification as a “high threshold” and estimate that the NPR, if adopted, would result in approximately 150 regulatory notifications being provided annually in the aggregate by all banking organizations and that only 2% of bank service providers would experience a reportable computer-security incident annually. 

The agencies did not appear to rely on industry cybersecurity threat reports in determining this number. While stating that the agencies “used conservative judgment” in estimating the volume of incidents, the agencies conceded that “the approach may also underestimate the number of notification incidents since supervisory and SAR data may not capture all such incidents.” Suspicious activity report (SAR) data and supervisory reporting on incidents would typically relate to reportable events under existing legal and regulatory reporting standards that are more narrow than the proposed expanded scope of reportable events. Indeed, the desire to expand the scope of reportable events for a deeper visibility into cybersecurity events is a key reason for the proposal. 

The agencies also estimated that it would take only three hours to evaluate, prepare, and complete certification — acknowledging that this would require “staff time to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organization’s primary federal regulator. This may include discussion of the incident among staff of the banking organization, such as the Chief Information Officer, a senior legal or compliance officer, and staff of a bank service provider, as appropriate, and liaison with senior management of the banking organization.” These estimates leave no room for outside legal counsel discussions, forensic analysis, or discussion on updates to forensic analysis that inevitably occur during the early hours and days of incident response. The agencies further stated that they “believe that the regulatory burden associated with the notice requirement would be de minimis, because the communications that led to the determination of the notification incident would occur regardless of the proposed rule.” However, the discussions that “would occur regardless of the proposed rule” would relate to operational and security needs and would not have involved discussion of an additional, novel, and disparate regulatory reporting standard prior to this rule.  

Accordingly, banking organizations and bank service providers should carefully evaluate the applicable definitions triggering notification requirements to evaluate the potential frequency of the notification requirements and consider how to leverage their existing responses to cybersecurity incidents, including enterprisewide reporting of such incidents, to prepare for the potential expanded scope and new early deviation in reporting times under the NPR. 

The agencies are seeking general comments as well as specific comments on 16 listed topics, due 90 days from the date that the NPR is published in the Federal Register. The topics on which input is specifically sought include the scope of the covered banking organizations, applicable definitions, standards for notice, method of notice to the regulatory agencies, timeframes for providing notice, and the impact of the proposed rule.

This client alert summarizes the proposed notification requirements, including covered entities, notification triggers, and the required timing, method, and content of required notifications.

Definition of Subject Entities: 

• A “banking organization” that would be subject to the obligation to notify its primary federal regulator includes national banks, federal savings associations, and federal branches and agencies supervised by the OCC; U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and Edge and agreement corporations supervised by the Board; and insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations supervised by the FDIC.²  
• A “bank service provider” that would have an obligation to notify its affected banking organization customers is a “bank service company or other person providing services to a banking organization that is subject to the Bank Service Company Act.”³ 

Notification Requirements: The NPR, if finalized, would impose the following two new notification requirements in the event of certain cybersecurity incidents: 

• Notification by a banking organization to its primary federal regulator (OCC, FDIC, or Board) in the event of a “notification incident” (definition explored below).⁴ In addition to the obligation to report notification incidents that a banking organization experiences directly, the NPR makes clear that banking organizations also must report (i) a notification incident experienced by a subsidiary banking organization (e.g., a bank subsidiary of a bank holding company) that would also constitute a notification incident for the holding company itself or (ii) a computer-security incident experienced by its bank service providers or subsidiaries that are not banking organizations if they meet the standard for a notification incident of the banking organization. While not expressly included in proposed rule language, this would require banking organizations to ensure that their policies and procedures include notice requirements from subsidiaries to parents of notification incidents and the broadly defined computer-security incidents, as applicable. Each banking organization subsidiary also would have its own notification obligation separate from that of its parent banking organization, resulting in duplicate notice requirements for holding companies and their banking subsidiaries.
• Notification by a bank service provider to its affected banking organization customers of “computer-security incidents” that could affect services provided for four or more hours. The preamble states that failure of a bank service provider to give a required notice to a banking organization would be enforced against the bank service provider and that regulators would not cite the banking organization for such failure of its bank service provider.

Notice Triggers:

• A banking organization would be required to notify its primary federal regulator in the event of a “notification incident,” which is defined as

a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair —

(i) The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or

(iii) Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.⁵ 

• A bank service provider would be required to notify its affected banking organization customers of “computer-security incidents” that the provider in good faith believes could disrupt, degrade, or impair services subject to the Bank Service Company Act provided for four or more hours.

• The term “computer-security incident,” which underlies the proposed notification triggers for both banking organizations and bank service providers, is defined as 

an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.⁶  

• Note that although the definition of “notification incident” includes a materiality standard, the definition of “computer-security incident” does not. This is an omission with significant import for bank service providers whose notice obligation could be triggered by even a single threatened breach of an acceptable use policy if the provider in good faith believes such breach could disrupt, degrade, or impair services subject to the Bank Service Company Act provided for four or more hours. The standard also does not identify whose policies (the banking organization’s or the bank service provider’s) would be at issue. In either case, the inclusion of “acceptable use” in this litany raises significant policy questions, as acceptable use policies may vary significantly among institutions and have little to do with the security issues that underlie the NPR. Indeed, it is routine and accepted in the industry that service levels may occasionally be impacted or interrupted by IT incidents that are appropriately managed even if there is some disruption, degradation, or impairment. That is why Service Level Addendums are commonly negotiated between parties, commercially, to agree on service delivery standards. These relatively low standards for bank service providers will also create a potentially significant burden on the banking organizations to investigate whether these computer-security incidents are notification incidents for purposes of their notification obligations. 

• While the definition of “notification incident” that triggers a notification requirement of banking organizations includes a “good faith” standard for the banking organization’s determination that notice is required, the definition of “computer-security incident” that triggers bank service provider notification requirements does not include that standard. However, the NPR states that bank service providers are also subject to a good faith standard for developing a belief that a computer-security incident it experiences “could disrupt, degrade, or impair services […] for four or more hours.”⁷ 

Timing and Method of Notices: 

• If a banking organization determines a notification to its primary federal regulator is required, it must notify the designated point of contact at the relevant regulator of the incident within 36 hours after making that determination. The notice may be made by any form or written or oral communication, including any technological means (e.g., email or telephone).
  • The NPR explains that the 36-hour period would begin to toll only after the banking organization reaches a good faith determination that an incident satisfies the definition of a notification incident, which the agencies indicate they expect would take a “reasonable amount of time” to reach. However, it is often the impact and scope of an security incident (if any) that takes time to determine — not whether it has indeed occurred, especially when the standard can boil down to something that can cause “potential harm.”
  • Noting that existing reporting requirements do not provide regulators “sufficiently timely” notice of the subject incidents, the NPR would require a banking organization to provide its regulator a required notification on a faster timeline than (and in addition to) the notices currently required by the Bank Secrecy Act (BSA).⁸ Under the BSA, SARs must be filed within 30 days “after the date of initial detection by the bank of facts that may constitute a basis for filing a SAR.”⁹  Notably, the proposed 36-hour timeline is also more accelerated than that required for similar incidents required by the New York Department of Financial Services, which requires notices be provided to the superintendent within 72 hours from determination that a cybersecurity event has occurred.¹⁰
• If a bank service provider determines that a notification to its banking organization customers is required, it would be required to notify at least two individuals at each affected banking organization immediately after a computer-security incident “that it believes in good faith could disrupt, degrade, or impair services provided, subject to the Bank Service Company Act, for four or more hours.”¹¹ This standard will likely generate significant comments from service providers who will find the requirement unworkable.

Content of Notices: 

• Stating that notification to the regulators is intended to serve as an early warning and not an assessment, the NPR does not prescribe any particular form or content for either notice and notes that only general information about what is known about the incident would be expected to be given. Notices given by banking organizations and the content of the notices would be subject to the agencies’ rules regarding confidentiality.
• Bank service providers would be expected to use “best efforts” to provide banking organizations “general information about what is known at the time.” That likely will result in the need to expend additional time and resources to provide updates to initial reports as events, and a better understanding of the facts, evolve. 

^₁ The NPR is currently available at www.fdic.gov/news/board/2020/2020-12-15-notice-sum-c-fr.pdf until it is published in the Federal Register.
² NPR, proposed 12 C.F.R. § 53.2(b)(1); 12 C.F.R. § 225.301(a); and 12 C.F.R. § 304.22(b)(1).
³ NPR, proposed 12 C.F.R. § 53.2(b)(2); 12 C.F.R. § 225.301(a); and 12 C.F.R. § 304.22(b)(2).
⁴ If a computer-security incident may be criminal in nature, the preamble of the NPR states that a banking organization is also expected to contact the relevant law enforcement or security agencies.
⁵ NPR, proposed 12 C.F.R. § 53.2(b)(5); 12 C.F.R. § 225.301(a); and 12 C.F.R. § 304.22(b)(5). The NPR explains that banking organizations that are subject to the resolution planning rules promulgated by the FDIC and the Board under section 165 of the Dodd-Frank Act may rely on the core business lines and critical operations identified in their resolution plans for purposes of interpreting the second and third prongs of the definition of “notification incident” in the NPR. Other banking organizations are not required to identify “core business lines” or “critical operations” but are expected to understand their business lines such that they can notify their banking regulator if the incident could result in material loss of revenue, profit, or franchise value.
⁶ NPR, proposed 12 C.F.R. § 53.2(b)(4); 12 C.F.R. § 225.301(a); and 12 C.F.R. § 304.22(b)(4).
⁷ NPR, proposed 12 C.F.R. § 53.4; 12 C.F.R. § 225.303; and 12 C.F.R. § 304.24
⁸ Although the NPR recognizes that certain covered events may be required to be notified to the regulators under the Gramm-Leach-Bliley Act (GLBA) “as soon as possible” after becoming aware, the GLBA notification obligation is limited to an incident involving unauthorized access to or use of sensitive customer information and thus excludes certain incidents that would be covered by the NPR notification requirements.
⁹ 31 C.F.R. §1020.320(b)(3).
¹⁰ 23 NYCRR § 500.17(a).
¹¹ NPR, proposed 12 C.F.R. § 53.4; 12 C.F.R. § 225.303; and 12 C.F.R. § 304.24.