Banking and Finance Law Daily Wrap Up, TOP STORY—FDIC, OCC, and Fed issue final rule on computer security incident reporting, (Nov 19, 2021)

By Justin Marcus Smith, J.D.

The regulators said the rule is meant to give them early awareness of emerging cyber threats to individual banks and systemic cyber threats to the broader financial system.

The Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Federal Reserve Board have issued a final rule that requi ...

By Justin Marcus Smith, J.D.

The regulators said the rule is meant to give them early awareness of emerging cyber threats to individual banks and systemic cyber threats to the broader financial system.

The Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Federal Reserve Board have issued a final rule that requires banks to notify their primary federal regulator within 36 hours of a computer-security incident that is reasonably likely to "materially disrupt, degrade or impair" bank operation (FIL-74-2021). The rule will take effect April 1, 2022, but full compliance is extended to May 1, 2022. Regulated institutions will typically notify their supervisory office. The FDIC said it will provide further information about incident notification in early 2022.

Proposal and comments. Regulators had been working on the rule since at least December 2020 (see Banking and Finance Law Daily, Dec. 16, 2020). Commenters urged the notification requirement to apply only to actual harm to a banking institution or service provider. Others urged extension of the time requirement to five business days, especially as to community banks.

Computer-security incidents, notification incidents. The rule defines a “computer-security incident” as an event that causes actual harm to confidentiality, integrity, or availability of an information system or its data. The notification requirement will apply whenever a computer-security incident is “reasonably likely” to materially disrupt or degrade banking operations, affect financial performance, or pose systemic risk. These more serious situations will be known as “notification incidents,” which could include large scale distributed denial of service (DDoS) attacks disrupting customer account access or a crack that disrupts internal operations for an extended period of time.

SARs. An existing suspicious activity report (SAR) requirement only applied to sensitive customer data, and under that rule, institutions had 60 days to submit the SAR. The regulators say the existing SAR requirement did not give them enough time to marshal support, especially as to systemic risk. The final rule specifically mentions that regulators wanted more timely notice to pull the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) into incident response. Regulators similarly regarded other preexisting notification procedures under the Bank Secrecy Act and interagency guidance insufficiently prompt or inclusive of all computer-security incidents. Regulators expect that only about 150 incidents per year will trigger the new reporting requirement. This is based on prior experience.

Application of rule. The rule will apply, as to OCC purview, to all national banks, federal savings associations, and federal branches and agencies of foreign banks; as to the Fed’s purview, all U.S. bank and savings and loan holding companies, state members banks, U.S. operations of foreign banking organizations, and Edge and agreement corporations; as to FDIC purview, all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations.

Bank service providers. The rule likewise imposes the notification requirement on bank service providers, as defined in the Bank Service Company Act, to promptly notify their bank partners whenever the service company experiences a similarly defined attack. The final rule notes that the notification requirement for bank service providers is “important because banking organizations have become increasingly reliant on third parties to provide essential services.”

Fintechs, FMUs. Some commenters urged the inclusion of financial technology firms and non-bank OCC chartered financial services entities, at least to the extent that the regulators have jurisdiction over them. The regulators contended they have defined the application of the rule to all entities consistent with their supervisory authority. The rule, therefore, will not apply to Financial Market Utilities (FMUs), defined as persons managing multilateral systems for settling or clearing payments. The Fed is considering, however, whether to modify its Regulation HH to include a notification requirement for Fed supervised FMUs. The final rule noted there is no defined list of FMUs, other than designated FMUs. Affiliated banking organizations will each have their own notification obligations to the extent a “notification incident” applies to them. As is the case with FMUs, “the agencies do not know the precise number of bank service providers that will be affected by the final rule’s notification requirement.” The regulators otherwise estimate the final rule will affect approximately 5,000 institutions in its present formulation.

FDIC statement. A memorandum prepared by the FDIC’s staff recommended that the agency approve and authorize the proposed rulemaking’s publication. FDIC Chair Jelena McWilliams stated, “The final rule … addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations, allowing the FDIC and our fellow banking supervisors to be better positioned to understand and to respond to cybersecurity threats across the banking sector.”

MainStory: TopStory BankingFinance BankingOperations BankSecrecyAct FederalReserveSystem FedTracker FinancialStability FinTech GCNNews IdentityTheft Privacy