On November 18, 2021, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) finalized new cyber incident notification requirements for institutions that they regulate and their service providers (the “Notification Rule”).1 The Notification Rule expands and clarifies existing notification obligations of financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the Notification Rule will require service providers to notify their financial institution customers if certain computer security incidents occur. While the Bank Service Company Act (“BSCA”) generally subjects service providers to supervision and examination by the Federal Regulators as if the services were performed by the financial institution, this authority has not been recently used to directly regulate the conduct of a service provider.2
The Notification Rule takes effect April 1, 2022, and compliance is required beginning May 1, 2022. This Legal Update describes the new Notification Rule. Please see our Legal Update on the proposed Notification Rule for background information on bank incident notification requirements generally and the BSCA.
The Notification Rule imposes incident notification requirements on financial institutions and their service providers. For these purposes, a financial institution includes a national or state bank, a savings association, an Edge or agreement corporation, a US branch or agency of a foreign bank, and a bank or savings and loan holding company.
The proposed version of the Notification Rule did not expressly cover nonbank subsidiaries of banks or bank holding companies or the foreign operations of foreign banking organizations, and the preamble to the Notification Rule confirms that nonbank subsidiaries of financial institutions generally should not be subject to its requirements, unless they otherwise qualify. Further, the Federal Regulators revised the Notification Rule to make it clear that it does not apply to designated financial market utilities, which already notify regulators of relevant incidents under other regulations or as a matter of practice.3
Financial Institution Notification
First, a financial institution will be required to notify its appropriate Federal Regulator of a “notification incident” as soon as possible and no later than 36 hours after the institution determines that a reportable event occurred.4 This is shorter than the reporting deadline established by other regulators, such as the New York Department of Financial Services. However, it appears that the Federal Regulators intend for the Notification Rule to capture fewer occurrences and, therefore, were not persuaded by comments that argued for a longer period.
The notification may be provided in written or oral form (including email or telephone) and may be made to the institution’s designated point-of-contact at the Federal Regulator. The notification should convey whatever general information is known to the institution regarding the incident but does not need to be made using a specific form or format.
Under the Notification Rule, a “notification incident” is defined as a computer security incident that has materially disrupted or degraded:
- The ability of the institution to carry out banking operations, activities or processes or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Any business line of an institution, including associated operations, services, functions and support, and the incident would result in a material loss of revenue, profit or franchise value; or
- Those operations of an institution, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
A “computer security incident” is further defined as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” This is narrower than the definition in the proposal, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. However, the Federal Regulators emphasize in the preamble to the Notification Rule that the definition of a computer security incident remains broad and can include non-malicious occurrences, such as the failure of hardware and software and personnel errors.
The preamble to the Notification Rule recognizes that a financial institution will need to undertake a reasonable investigation to determine that a notification incident has occurred and explicitly states that this determination need not be made outside of normal business hours.5 It also clarifies that not all cybersecurity events are reportable and provides a non-exhaustive list of events that would rise to the level of a notification incident:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than four hours);
- A bank service provider that is used by a financial institution for its core banking platform to operate business applications that experiences widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and financial institution employees;
- An unrecoverable system failure that results in activation of a financial institution’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware on a financial institution’s network that poses an imminent threat to the institution’s core business lines or critical operations or that requires the institution to disengage any compromised products or information systems that support its core business lines or critical operations from internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.
The Notification Rule discusses the interaction between the notification requirement and the resolution planning rule and indicates that institutions subject to the resolution planning rule may rely on prior identification of core business lines and critical operations to inform the determination that an event is reportable. While all institutions must understand their operations sufficiently to make such determinations, smaller institutions are not required to map core business lines and critical operations.
Additionally, the Notification Rule indicates that each financial institution within a holding company structure must separately assess its reporting obligation, and the parent of an entity that is not a financial institution (e.g., nonbank subsidiary) should consider if it must make a separate report to its Federal Regulator based on the indirect effect of an incident at the subsidiary.
Service Provider Notification
For purposes of the Notification Rule, a service provider will be any person performing services for a financial institution that are subject to the BSCA.6 While the Notification Rule does not further define the services that are subject to the BSCA, the Federal Regulators modestly revised the language from the proposal and may have abandoned their view that covered services include components that underlay other covered services.
The Notification Rule explicitly requires a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours. This language is a subtle change from the proposal that is intended to reduce over-notification by service providers.
Additionally, the Notification Rule revises the proposal’s requirement that a service provider notify two individuals at each affected financial institution customer. Under the revised requirement, a service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution’s chief executive officer and chief information officer (or two individuals of comparable responsibilities).
The preamble to the Notification Rule notes that many existing service provider contracts already include incident-reporting provisions but states that this new requirement applies to service providers regardless of the content of a contract with the financial institution. Further, the Notification Rule does not abrogate contracts that contain more stringent incident-reporting provisions.
The preamble to the Notification Rule also confirms that a computer security incident at a service provider also could trigger a reporting obligation by the financial institution, but this obligation would rest with the institution, not the service provider.
In the preamble to the Notification Rule, the Federal Regulators indicate that the thousands of regulated financial institutions experience a total of approximately 150 notification incidents per year, and the preamble to the proposal had estimated 120,000 service providers experience a total of approximately 36 computer security incidents each year. While these numbers are based on the experience of Federal Regulators and may seem low to industry observers, they appear to reflect the Federal Regulator’s high threshold for identifying an event as material.
Additionally, while service providers have long been subject to the BSCA, including examination by the Federal Regulators, the creation of affirmative regulatory requirements for service providers is an important development. Even if the regulatory requirement mirrors a service provider’s existing contractual obligation and the accompanying service levels, the provider may need to consider creating or modifying its compliance program to ensure that it satisfies the notice obligation in the final rule. Furthermore, while the Notification Rule applies regardless of contractual terms, we expect that financial institutions will expressly address it in new contracts.
Lastly, the Federal Trade Commission (“FTC”) recently proposed a regulation that would require certain nonbank financial institutions to report certain data breaches and other security events to the FTC.7 This proposal is consistent with the recent trend illustrated by the Notification Rule of imposing regulatory notification obligations on financial institutions of all sizes. Further, it is consistent with the FTC’s recently amended safeguarding rule, which will likely result in the imposition of similar reporting obligations on vendors.