Federal banking regulators have recently moved the goal post for financial institutions that suffer a data breach with approval of a new rule mandating the disclosure of certain cyber incidents within 36 hours after banks determine that a triggering incident has occurred. The rule, which puts in place the fastest regulatory notification clock we have seen in the U.S., was issued by the Federal Reserve, the Federal Deposit Insurance Corporation, and the Treasury Department’s Office of the Comptroller of the Currency, and largely conforms to the notice of proposed rulemaking that the agencies issued in January. The new rule goes into effect April 1, 2022, and covered banks must begin compliance by May 1, 2022—leading many banks to revamp systems designed to give notice in 30 days.
The new rule comes at a time in which cyberattacks are a larger problem than ever and show no sign of slowing. Financial institutions have always been major targets but have recently suffered an even greater barrage. While the Bank Secrecy Act and the Interagency Guidance on Response Programs for Unauthorized Access to Consumer Information and Customer Notice already require banks to provide the agencies with information regarding certain computer security incidents, the new rule encapsulates regulators’ desire for even more rapid alerts regarding a wider range of such events. According to the banking regulators, the new rule will promote early agency awareness of the most serious threats, helping banks and their supervisory agencies address these threats before they endanger the entire financial system.
Reporting Rules for Banks
The main part of the rule imposes a disclosure requirement on banks (or “banking organizations,” as each of the agencies define the term), with notable exceptions for SEC- and CFTC-designated financial market utilities (FMUs), because those designated FMUs were already subject to other incident reporting requirements.
The rule requires banks to notify their primary regulator as soon as possible and no later than 36 hours after the bank determines that a “notification incident” has occurred. In recent years, regulators have been pushing notification timelines shorter and shorter, but no other common regulatory reporting requirements have such a short timeline. Both the EU’s Global Data Protection Regulation (GDPR) and the New York Department of Financial Services (NYDFS), which applies to certain insurance and other financial services companies licensed in New York, require covered businesses to notify regulators within 72 hours of determining that a personal data breach has occurred that triggers notice.
A key question for all of these timelines is when the clock begins ticking. The banking rule specifies the 36 hours do not begin until a bank has determined that a “notification incident” has occurred, but, in practice, it can take days or even weeks for a business to determine the scope and severity of an incident. Faced with the tighter timeline, banks could feel pressured to make decisions about whether notification is merited in situations where they have very limited information.
In addition to moving the timeline, the new rule creates a new definition of what type of event triggers regulator notification. Under the banking rule, a “notification incident” is defined as
a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
This new definition moves away from the GDPR model, which are focused on personal information, and closer to the NYDFS focus on cybersecurity events. Under this new definition, a significant breach of personal information could be included, but so could many other incidents that would interrupt a bank’s operations, even if personal data were not affected. In the supplemental information published by the regulators along with the rule, they provided a non-exhaustive list of examples of “notification incidents,” which included the following:
- Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
- A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.
By expanding the definition of a triggering incident in this way, the new rule moves the emphasis from protection of personal information to protection of the banking industry as critical piece of infrastructure. While this aligns with the risks that banks fear most: attacks that target their operations or accounts, it could create ambiguity about which incidents require a report to regulators, especially in situations where banks are sure there has been an event but are not able to determine its scope or significance in a short time frame.
Commenters on the draft rule raised objections that the new rule could lead to over-reporting of incidents and would place a significant burden on banks in terms of time and resources spent determining whether to report the incident that could be better directed to incident response. The Impact Analysis section that the regulators published with the final rule includes a review of data regarding past cyber incidents that targeted banks. Using that data, the Impact Analysis determined that “computer-security incidents that rise to the level of notification incidents are rare,” estimating the number to be fewer than 150 reportable incidents per year and that only three hours of labor would be necessary for banks to comply if they experience an event. Many with experience in the industry will likely question whether these numbers accurately take into account the time and expense required to thoroughly investigate and determine whether an event is reportable.
Reporting Rules for Bank Service Providers
Following a model similar to the GDPR, the new banking rule also addresses the duties of service providers, or third parties that perform essential services for banks. As with “data processors” under GDPR, service providers are not responsible for reporting incidents directly to regulators, but they have an obligation to report incidents directly to the banks, who in turn will need to determine whether there is a notification incident and notify the regulators.
The trigger for service providers to notify banks is also slightly different: Upon determining that “it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours” a “bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible.” While the service provider notice window may be shorter—as soon as possible after the appropriate determination is made—rather than the 36 hours from that determination that applies to banks, the language also could be interpreted to allow more margin for maneuver than a strict hour requirement, which banks will likely address in contracts with service providers.
What This Could Mean In 2022
Once enforcement begins in 2022, it will be interesting to see whether the new rules will lead to significant over-reporting that could overwhelm the banking regulators, as has been the experienced with similarly aggressive reporting regulations in Europe.
In any event, banking organizations that are covered by the new rule would be wise to ensure that their agreements with service providers require notification of incidents within a short time window and that they have measures in place that will help them quickly evaluate whether an incident rises to the level of triggering notification and prepare procedures that will help them make such notifications efficiently, so that they will not be in danger of missing the 36-hour notice deadline.