OCC, FDIC and FRB extend notification requirement after cybersecurity event
On November 18, 2021, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve System (FRB) Board of Governors (each, an âAgencyâ and, collectively, the âAgenciesâ) have finalized uniform regulations, codified in 12 CFR Part 53, 12 CFR Part 225.300 and 12 CFR Part 304, with the stated aim of improving the sharing of information on cybersecurity incidents detrimental to the US banking system ( the “Regulation”). In accordance with the regulation, banks will be required to notify their lead federal regulator within thirty-six (36) hours of “any significant computer security incident.”
What is the purpose of the regulation?
The regulation fills an existing gap in federal regulations, including current requirements under the Bank Secrecy Act and other anti-money laundering regulations, the Gramm-Leach Bliley Act, and the Corporate Law. banking services, which currently do not have direct cybersecurity incident reporting requirements. for banking organizations.
When do the regulations come into force?
Although the regulation has an effective date of April 1, 2022, compliance is required by May 1, 2022.
Who is impacted?
The Regulations are applicable to bank holding companies, savings and loan holding companies, national banking associations, state chartered banks, federal and state savings banks, and federal and state branches. ‘State of foreign banks, as well as their service providers (collectively, a “bank” or “banks”).
What must be declared?
Banks will need to consider, on a case-by-case basis, whether significant IT security incidents constitute notification-for-report incidents. Here is a non-exhaustive list of incidents that should generally be reported:
Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time;
a banking service provider used by a banking organization for its main banking platform to operate business applications is experiencing widespread system failures and the recovery time is indeterminable;
a failed system upgrade or modification that results in widespread user outages for customers and employees of the banking organization;
an irremediable failure of the system which leads to the activation of a banking organization’s business continuity or disaster recovery plan;
a hacking incident that disables banking operations for an extended period;
malware on a bank’s network that poses an imminent threat to the bank’s core business lines or critical operations or that requires the bank to disengage any compromised product or information system that supports the bank’s business lines ‘main activity or critical operations of the banking organization of Internet network connections; and
a ransomware malware attack that encrypts a primary banking system or backup data.
When must a bank declare a covered event?
In accordance with the regulations, banks will be required to notify their lead federal regulator of “any material computer security incident” within thirty-six (36) hours after the bank determines that a notification incident has occurred. product. However, the regulation does not directly address when a bank is deemed to have “determined” that a notification incident has occurred. The Agencies noted that the incident does not need to be discovered immediately, but they anticipate that the discovery of an incident will be made within a reasonable time. The Agencies noted that some incidents may occur outside of normal business hours, and it is only after the banking organization has made such a decision that the delay would begin. Agencies encourage same-day notification to their lead federal regulator.
As is current practice, notification must be made to the appropriate supervisory office or the applicable agency contact point, and the regulations do not specify the content or format requirements for the notification. Notifications should be sent to the Agency’s contact point by telephone or e-mail.
What should banks be doing now to prepare for the settlement?
In the meantime, banks should review their internal policies and procedures to ensure that a reporting procedure is in place to comply with the May 1, 2022 compliance deadline.
We note that state chartered banks should be aware that some states, such as New York, have similar reporting requirements in place. State-level reporting obligations may differ from regulation and other federal reporting requirements.
Existing regulatory requirements
The new regulation fills a gap that is not covered by the Information Security Guidelines (the âSecurity Guidelinesâ). Specifically, existing interagency security guidelines require notification to the appropriate regulator only if certain customer information has been compromised and a bank has determined that there is a likelihood that that information will be misused. The security guidelines, codified in 12 CFR Part 30, Annex B, 12 CFR Part 208, Annex D-2 and 12 CFR Part 364, Annex B, remain in effect and require each financial institution to assess the following risks, between others, when developing your information security program:
reasonably foreseeable internal and external threats that could result in the unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;
the likelihood and potential damage of threats, taking into account the sensitivity of customer information; and
the adequacy of policies, procedures, customer information systems and other arrangements in place to control risks.
Following the assessment of these risks, the security guidelines require that a financial institution design a program to deal with the identified risks. The specific security measures an institution should adopt will depend on the risks presented by the complexity and scope of its operations. At a minimum, the financial institution is required to consider the specific security measures listed in the Security Guidelines and adopt those that are appropriate for the institution, including the following:
access controls to customer information systems, including controls to authenticate and allow access only to authorized persons and controls to prevent employees from providing customer information to unauthorized persons;
background checks of employees with responsibilities relating to access to customer information; and
response programs that specify the action to be taken when the financial institution suspects or detects that unauthorized persons have gained access to customer information systems, including appropriate reporting to regulatory and law enforcement agencies .
Safety guidelines impose requirements for a response program, including (i) an assessment of the nature and extent of an incident and the types of customer information that has been accessed or misused, ( ii) notify the lead federal regulatory agency as soon as possible when the institution becomes aware of an incident involving unauthorized access or use of sensitive customer information and (iii) notify the authorities responsible for law enforcement, in addition to timely filing a suspicious activity report in situations involving federal criminal offenses requiring immediate attention.
The regulation established in November of this year targets general security breaches and cyber attacks, and is not limited to incidents involving the compromise of customer information and the likely misuse of that information addressed in the security guidelines. As a result, the regulation is intended to work with already existing regulatory obligations to ensure that banks are properly dealing with cybersecurity threats.
To view the full text of the regulations, click here.
Mary Donohue also contributed to this article.