The Countdown is On: New Cyber Incident Reporting Requirements for Banks
Lawmakers in Washington have argued about mandatory cyber incident reporting for several years, but it has never gained the traction needed to become widespread law.
For most organizations, silence is often the best policy when it comes to computer security incidents. No one likes to air their dirty laundry and share the fact they’ve been taken advantage of by threat actors.
For those in the banking industry, this is all about to change.
On November 18, 2021 last year, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule (final rule) to establish computer-security incident notification requirements for banking organizations and their bank service providers.
In short, banking organizations and bank service providers will be required to notify their primary Federal regulator or the bank(s) they service, respectively, as soon as possible, and no later than 36 hours after the banking organization determines that a computer security incident that rises to the level of a “notification incident” has occurred.
The agencies have provided an effective date of April 1, 2022, and a compliance date of May 1, 2022 for this final rule.
Why Are They Requiring Banks to Report?
There are three distinct reasons for the new cyber incident reporting requirements that are cited within the Federal Register. Timely notification will allow the Federal agencies to:
Have early awareness of emerging threats to banking organizations and the broader financial system, enabling information sharing amongst all banking institutions
Better assess the threat a notification incident poses to a banking organization and take appropriate actions to address the threat
Facilitate and approve requests from banking organizations for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP)
What Exactly is a “Notification Incident” Anyway?
Under this standard, a banking organization will be required to notify its primary Federal regulator when it has suffered a computer-security incident that has materially disrupted or degraded or has a reasonable likelihood of materiality disrupting or degrading the banking organization’s:
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Banks would not be required to make such a notification for adverse outcomes that are merely possible, or within imagination.
What are Some Examples of “Notification Incidents”?
There is one big difficulty that many are having with the interpretation of this rule, and that is determining what exactly is considered a “notification incident.” This confusion is warranted, as computer security incidents are like snowflakes, no two are exactly the same.
Because of this vagueness, the Federal agencies have given us some examples of incidents that would generally be considered “notification incidents” under the final rule. The following is a non-exhaustive list:
Large scale Distributed Denial of Service (DDoS) attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours)
A bank service provider that is used by a banking organization for its core banking platform is experiencing widespread system outages and recovery time is undeterminable
A failed system upgrade or change that results in widespread application and service outages for customers and banking organization employees
A severe system failure that results in activation of a banking organization’s business continuity or disaster recovery plan
A computer hacking incident that disables banking operations for an extended period of time
Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations
Malware that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections
A ransomware attack that encrypts a core banking system or backup data
Other Notable Odds and Ends
- There are no recordkeeping requirements as part of this final rule
- The final rule also applies to bank service providers who must notify at least one point of contact at each affected banking organization as soon as possible
- While the agencies are charged to keep the incident notifications confidential, there always is the chance that they could become public through a Freedom of Information Act (FOIA) request, on a case-by-case basis
- Subsidiaries of banking organizations, that are not themselves banking organizations, do not have notification requirements under this final rule
- There are about 5,000 institutions that are covered under this final rule
- The Federal agencies assessed the impact of this final rule, reviewed previous cyber incidents reported through Suspicious Activity Reports (SARs), etc. and estimate that approximately 150 notification incidents could occur annually
How to Prepare for Compliance
Because the new final rule is so time sensitive with the 36-hour requirement, there are several things your institution should do now to prepare before the compliance date of May 1, 2022 hits:
Prevent a notification incident through enhanced cyber resiliency
Keep the damage to a minimum by evaluating the current state of your cybersecurity risk and strengthening your cybersecurity controls to prevent the systemic impact of a computer security incident
Review and update your incident response plans
Ensure you have the proper incident identification capabilities to adequately qualify a notification incident when one occurs. Also, be sure to have the appropriate contact information of your primary Federal regulator up to date
Regularly test your incident response processes and capabilities
Through tabletop drills and other types of exercises, be sure to gain some muscle memory by working out your incident response plans with all the necessary individuals involved