On November 18, 2021, the three primary banking regulatory agencies — the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) – jointly approved a final rule with two distinct notification requirements:
- The rule requires “banking organizations” to notify their primary federal regulator of any significant “computer-security incidents” as soon as possible and no later than 36 hours after the bank determines a “notification incident” has occurred.
- The rule also requires “bank service providers” to notify any affected banking organization customer of “computer-security incidents” that has “caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”
The rule became effective on April 1, 2021, and requires compliance by May 1, 2022.
Who is subject to the rule?
As explained above, the rule imposed distinct requirements “banking organizations” and “bank service providers.”
“Banking organizations” generally include any organization that is regulated by the OCC, the Board, or the FDIC. Specifically:
- For the OCC: “national banks, federal savings associations, and federal branches and agencies of foreign banks.”
- For the Board: “all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.”
- For the FDIC: “all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations”
The rule expressly excludes designated financial market utilities (“FMUs”) from its definition of “banking organization” and “bank service provider.” See 12 U.S.C. § 5462(4). To the extent an FMU is supervised by the Securities and Exchange Commission (“SEC”) or the Commodity Futures Trading Commission (“CFTC”), the FMUs are subject to any notification requirements imposed by those agencies. See e.g., SEC Reg. SCI, 17 CFR 242.1000 (SEC); 17 CFR 39.18(g) (CFTC).
When making the rule, the agencies also considered a rule being on “additional entities, such as financial technology firms and non-bank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms.” In the end, the agencies simply concluded that the definition of banking organization under the rule was “consistent with the agencies’ supervisory authorities.” To the extent that a banking organization is required to make a notification under the rule, that notification must go to the agency with primary regulatory oversight over the organization.
A “Bank Service Provider” includes persons and companies performing “covered services” subject to the Bank Service Company Act, 12 U.S.C. 1861-1867 (“BCCA”). The definition is vague, but the Agencies’ rulemaking explains that the purpose of the definition was to encompass any company that provides services to a banking organization that could be involved in a service disruption.
When is notification required?
The respective notification requirements applicable to Banking Organizations and Bank Service Providers are based on the occurrence of a “Computer Security Incident.” For consistency, the Agencies adopted the same definition of “Computer Security Incident” as provided by the National Institute of Standards and Technology (“NIST”). Thus, a “computer-security incident” is “an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
Bank Organizations must provide notification to their regulating agency when a “computer-security incident” rises to the level of a “notification incident.” A notification incident is a “computer-security incident” that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s) (any product or service that serves or supports business needs), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The definition of “notification incident” is broad enough to encompass any computer-security incident that impacts the banking organization’s general operations. As a practical matter, a banking organization will want to provide notification for any computer security incident that is likely to materially disrupt its operations or services to ensure compliance.
The banking organization must provide notice to the appropriate agency “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”
Bank Service Providers
Bank Service Providers’ notification requirement is triggered by the occurrence of the computer-security incident that has or is reasonably likely to “materially disrupt or degrade” the services it provides the bank for four or more hours. The rule makes clear that scheduled maintenance, testing, or software updates that have been previously communicated to the banking organization are not subject to the rule’s notification requirement.
The bank service providers must provide notification to the designated point of contact at each banking organization at which any customer will be impacted by the bank services provider’s degradation or disruption of service. The bank service providers must provide notification “as soon as possible.”
The joint new rule from OCC, Board, and FDIC is consistent with a recent trend of varying state and federal regulatory bodies imposing independent notification obligations related to a data incident.
The imposition of new notification requirements may lead to the imposition of inconsistent notification requirements (e.g., the Agencies’ rule conflicts with the state incident notification laws). The rule could place the banking organizations between a rock and a hard place. For example, the banking organization could determine that notification is required under the new rule but may need additional time to determine if notification to state agencies and customers is necessary. The perceived delay may serve as a justification for the imposition of fines or to support a theory of liability in litigation related to the incident.
The proper timing for notification will always be a case-by-case decision. Banking organizations and bank service providers should work closely and proactively with experienced incident response counsel to ensure compliance with notification laws and to mitigate against creating any bases for the imposition of penalties or civil liability.
Beckage closely monitors developments in laws and regulations governing cybersecurity. Beckage’s team of highly skilled attorneys and technologists are uniquely situated to assist clients as they navigate these changes.
*Attorney advertising: prior results do not guarantee similar outcomes.
Sources: 12 C.F.R. Part 53; 12 C.F.R. Part 255; 12 C.F.R. Part 304
Copy of the final rule: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf