As of April 1st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)
Understanding the Regulations
To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:
- The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
- The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.
- A “computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
- A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
- its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
- its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
- its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.
Recognizing the Gray Areas
The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.
In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.
Preparing for the Unknowns
At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:
- Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at: email@example.com.
- Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email (BankNet@occ.treas.gov) or phone (800) 641-5925.
Federal Reserve Institutions:
- Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to firstname.lastname@example.org or by telephone to (866) 364-0096.
Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.
Steps to Take Now
There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.
- Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
- Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
- Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.