On December 18, 2020, federal financial regulators including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Currency Auditor (collectively the “Agencies”) announced a proposed rule (the “Proposed Rule”) of “banking organizations” must notify their primary federal regulator within 36 hours of a “computer security incident” that increases to the level of a “notification incident”. The proposed rule would also require service providers to notify at least two people at the banking organizations they serve immediately following a computer security incident that significantly disrupts, compromises or adversely affects the services they provide.
The proposed rule defines a “computer security incident” as “an event that (i) results in actual or potential damage to the confidentiality, integrity, or availability of any information system or the information that the system processes, stores or transmits; or (ii) constitutes a breach or an imminent threat of breach of any security policy, security practice, or acceptable use policy. “
The proposed rule, in turn, defines a “notification incident” as “a computer security incident that a banking organization believes can in good faith significantly disrupt, worsen or affect –
(i) the ability of the banking organization to conduct banking transactions, activities or processes or to deliver banking products and services to a substantial portion of its customer base in the normal course of business;
(ii) any division of a banking organization, including its related operations, services, functions and support, and would result in a material loss of sales, profits or franchise value; or
(iii) the business of any banking organization, including related services, functions and support, the failure or cessation of which would pose a threat to the financial stability of the United States. “
The agencies note that the purpose of the reporting requirement in the proposed rule is to provide early notification to the agencies and is not intended to allow a full and thorough assessment of a particular incident. With early notification, the agencies can:
- Become aware of emerging threats to individual banking organizations and, potentially, to the wider financial system;
- assess the extent of a threat to a particular banking organization and take appropriate action;
- Providing information to a banking organization that may not have previously faced a specific Notification Incident;
- better conduct of analysis in supervised banking organizations to improve guidelines, adapt supervisory programs and provide information to the industry so that banking organizations can better protect themselves; and
- Facilitating and approving requests from banking organizations for US Treasury Department assistance for cybersecurity and critical infrastructure protection.
The banking organizations may notify the agencies by any form of written or oral communication, including by technological means, to their designated contact point at each agency. The proposed rule indicates that a computer security incident could be the result of a non-malicious hardware or software failure, or human error. However, it is emphasized that banking organizations where a potentially criminal computer security incident occurs must contact the relevant law enforcement authorities or, if necessary, security authorities after the incident has occurred.
Agencies have asked for comments on key elements of the proposed rule, including (1) whether the definitions of “computer security incident” and “notification incident” should be changed; (2) whether the 36-hour notification requirement is too short or too long; and (3) which services should require a banking service provider to notify the customers of its affected banking organization when those services are disrupted and why.
Interested parties can submit comments within 90 days of the publication of the proposed rule in the Federal Register.
Download the proposed rule.