Federal banking regulators issue cyber breach requirement


From April 2022, banking organizations and banking service providers will be subject to the shortest regulatory breach notification period of any law to date – 36 hours.

The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) (collectively, the “Agencies”) have issued a final rule to establish cybersecurity breach notification requirements for banking organizations and banking service providers (rule).

The rule contains a regulatory notification requirement of 36 hours for incidents that reach the level of “notification events”. This timeframe is shorter than any US state’s data breach notification law and exceeds even the tightest timeframe in the US books – 72 hours under the New York State Department of Financial Services. and certain state insurance laws. Banking organizations will need to act quickly to send notifications to their primary regulators once they determine that a “notification event” has occurred.

Although the timeline is restricted, the clock does not start until the banking organization “determines that a notification incident has occurred.” This contrasts with other breach notification laws that set timelines based on when an organization becomes aware of an incident. In the Rule’s summary, the Agencies said they expect banking organizations to take “a reasonable amount of time” to determine whether a notification event has occurred, and the 36-hour period will only begin. after that determination has been made.

Additionally, the rule also clarifies that not all data security incidents are notification events. “Notification events” are computer security events that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, the business of a banking organization:

  • Ability to perform banking transactions, activities or processes, or to provide banking products and services to a significant portion of its customers, in the normal course of business;

  • Line(s) of business, including related operations, services, functions and support, which, if failed, would result in a material loss of revenue, profits or franchise value; Where

  • Operations, including related services, functions, and support, if any, the failure or termination of which would pose a threat to the financial stability of the United States.

The Agencies have also provided a list of examples of likely notification events, which include:

  • Large-scale distributed denial-of-service (DDOS) attacks (see December 2021 Data Privacy Dish blog post) that disrupts access to the customer account for an extended period (for example, more than four hours).

  • A banking service provider used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outage and recovery time is indeterminable.

  • Failure of a system upgrade or change resulting in widespread user disruptions for customers and employees of the banking organization.

  • Unrecoverable system failure resulting in the activation of a banking organization’s business continuity or disaster recovery plan.

  • Hacking incident that disables banking operations for an extended period.

  • Malicious software on a banking organization’s network that poses an imminent threat to the banking organization’s core business or critical operations or that causes the banking organization to disengage any compromised product or information system that supports the main activities or critical operations of the banking organization from Internet network connections; and

  • A ransomware malware attack that encrypts a central banking system or backup data.

The notification event definition and examples provided indicate that agencies are targeting the type of security incidents that have a significant impact on banking operations and not focusing on less threatening incidents. Including ransomware attacks, regardless of encryption duration, as a notification event type is important, given the increase in such incidents in recent years.

In addition to this notification for banking organizations, the rule also obliges banking service providers to notify “at least one point of contact designated by the bank at each customer of the banking organization concerned” as soon as possible once the provider banking service has determined that it has encountered a computer problem. security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, its Covered Services for four hours or more. A computer security incident is defined more broadly than a notification event to include any occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or information that the system processes. , stores or transmits.

The rule will come into effect on April 1, 2022, with full compliance required by May 1, 2022. Banking organizations and banking service providers should begin reviewing their incident response and business continuity plans now to ensure compliance.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 13


Comments are closed.