The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, material service disruption or degradation for four or more hours.

The Bank Secrecy Act provides agencies with awareness of certain computer-security incidents. Still, it does not include all computer-security incidents of which the agencies, as supervisors, need to be alerted of and would not always result in timely notification to the agencies. The rule established computer-security incident notification requirements for banking organizations and their bank service providers to ensure that the agencies receive timely alerts of all relevant material and adverse incidents.

What is a Computer-Security Incident?

A computer-security incident will result in actual or potential harm to an information system's confidentiality, integrity, or availability (CIA) or the information that the system processes, stores, or transmits. National Institute of Standards and Technology (NIST) defines such incidents as cybersecurity incidents. The difference is the addition of the FDIC to include the potential harm during an incident. By the FDIC definition, when you experience a computer incident, and the incident has the potential to cause harm to the CIA of your system, the bank must follow these notification rules.

What Determines the Level of a Notification Incident?

The rule defines a notification incident as a computer-security incident that a banking organization believes in good faith could materially be disrupted or degraded, or is reasonably likely to materially disrupt or degrade the organization:

• The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
• Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
• Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Examples of incidents that generally are considered notification incidents:

• Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than four hours);
• A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages, and recovery time is undeterminable;
• A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
• An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
• A computer hacking incident that disables banking operations for an extended period of time;
• Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
• A ransom malware attack that encrypts a core banking system or backup data.

The rule provides that a banking organization would notify the appropriate agency-designated point of contact through email, telephone, or other similar methods that the agency may prescribe. Subsidiaries of banking organizations that are not themselves banking organizations do not have notification requirements under this rule.

Notification Requirements for Service Providers

The rule requires a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the banking organization for four or more hours. The service provider is to notify the banking organization-designated point of contact by an email, phone number, or other contacts previously provided to the bank service provider. If the banking organization has not previously provided a designated point of contact, the notification must be made to the banking organization’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.

The Effective Date

The agencies have provided an effective date of April 1, 2022, and a compliance date of May 1, 2022, in response to commenters that recommended that the agencies provide additional time to implement the rule.

Action to Take

The rule impacts the bank’s notification processes and clarifies the service provider notification requirements. There will be many more notification incidents requiring notification during the year. The bank should update the Incident Response Plan and Business Continuity Plan to reflect the updated notification requirements and document the contact information of the critical service providers. The bank will need to communicate with critical service providers to provide the proper contact information for the service provider to notify the bank. Additionally, the bank should ensure the critical service provider has documented the notification requirements in contracts to reflect the new rule. There are no penalties for over notification, and the expectation is for banks to notify the agencies quickly for many events in the organization that may not have been identified to be reported in the past.

Written by: Jeff Spann
SVP Information Security Consulting/Regional Director - SBS CyberSecurity, LLC

SBS Resources: 
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.

• {Service} Digital Forensics and Incident Response: Staying current with threat protection, detection, and recovery tactics requires a specific set of training and expertise that not all organizations are able to handle on their own. The SBS Digital Forensics and Incident Response (DFIR) team can help you better prepare for an incident or assist with an active incident.  Learn more
   
• {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event. Learn more
   
• {Service} Business Continuity Planning: A key piece to any Information Security Program is a high-quality Business Continuity Plan (BCP). A well-structured BCP will encompass three (3) areas: business continuity, disaster recovery, and pandemic preparedness. Let SBS help create and test a comprehensive BCP to better prepare your organization for a disaster. Learn more

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.