Banking organizations and their service providers are now subject to a tight 36-hour breach notification timeframe—the shortest timeline of any U.S. data breach notification law. Starting earlier this month, on May 1, covered banks and providers were required to be in full compliance with a new cyber incident notification rule (“Banking Rule”), issued by the Federal Reserve, the Federal Deposit Insurance Corporation (“FDIC”), and the Treasury Department’s Office of the Comptroller of the Currency (“OCC”) (“the Agencies”), mandating disclosure of triggering cybersecurity incidents (“notification incidents”) within 36 hours after an organization determines such an incident has occurred.
As we observed in a previous post, the Banking Rule, which became effective on April 1, comes at a time when cyberattacks are on the rise and when regulators have, in response to increasing cyber intrusions, enacted or proposed a series of stringent incident reporting requirements. In December 2021, the Federal Trade Commission (“FTC”) proposed an amendment to the recently updated Safeguards Rule that, if adopted, would require covered financial institutions to report to the FTC any security event involving the misuse of customer information of at least 1,000 consumers. Shortly thereafter, in February, the Securities and Exchange Commission (“SEC”) proposed extensive new rules for registered investment advisers and registered investment companies (“funds”) that would, among other things, require advisers to report “significant adviser cybersecurity incidents” and “significant fund cybersecurity incidents” to the SEC within 48 hours of concluding an incident occurred. A month later, the SEC followed up with proposed updates its public-company cybersecurity disclosure rules, which, if adopted, would compel issuers to file an amended Form 8-K within four business days after a triggering material cybersecurity incident took place.
Notably, the final Banking Rule, as well as the flurry of recently proposed cyber reporting regulations, surfaced against the backdrop of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which President Biden signed into law in March, that requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Critical Infrastructure Agency (CISA) within 72 hours. CIRCIA’s 72-hour timeframe is in line with the breach reporting timeline of the EU’s Global Data Protection Regulation (“GDPR”) and the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, which applies to certain insurance and other financial services companies licensed in New York.
Reporting Requirement for Banks
The Banking Rule’s 36-hour notification requirement does not begin until a bank “determines that a notification incident has occurred”—a determination threshold that was revised from the original proposed rule, which required notification after an organization “believes in good faith that a notification incident has occurred.” While the final determination threshold allows for a bit more time for banks to investigate the nature of potential notification-triggering cybersecurity incident, that evaluation in practice can take weeks or months; the 36-hour timeframe may pressure institutions to make fast decisions about its reporting duty with limited information.
The Rule defines a “computer security incident” as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits” and establishes a notification-triggering cyber incident. Under the Rule, a “notification incident” is defined as:
a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
This definition could encompass a breach of personal information, as well as other incidents that could disrupt a bank’s operations, even if personal data were not accessed or exfiltrated. The Agencies provided a list of examples of events that could rise to the level of “notification incidents,” which include:
- Large-scale distributed denial of service attacks (that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
- A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.
Despite the Banking Rule’s exceptionally short 36-hour reporting timeframe, covered entities are only required to provide their primary regulator with “simple notice” about a notification incident. The Rule’s reporting obligation does not require any detailed evaluation or root-cause analysis of the incident and does not prescribe a form of notice delivery, with telephone and email being appropriate methods of reporting. By contrast, the SEC’s proposed reporting rule for investment advisers involves the competition and submission of a new Form ADV-C, with 16 separate requirements, including substantive information about the nature and scope of the cyber incident, as well as information about the adviser’s cybersecurity insurance policy.
Notably, FDIC-supervised banks can comply with the rule by reporting an incident to a case manager—the primary FDIC contact for all supervisory-related matters—or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, it may notify the FDIC by email at: firstname.lastname@example.org. Meanwhile, bank service providers must notify any affected FDIC-supervised banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to such banking organization for four or more hours.
As the cyber incident reporting landscape continues to change, financial institutions should review their incident response protocol and develop a plan to address the Banking Rule, if applicable, and any notification requirement.