Computer-Security Incident Notification final rule: What you need to know
The agencies believe the Rule “largely formalizes a process that already exists, reflecting the collaborative and open communication that exists between banking organizations and the agencies.”
In November, federal bank regulatory agencies published a final rule titled “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” (the “Rule”) which is notable for two primary reasons: (i) it imposes an obligation on banks to notify their primary federal regulator within 36 hours of determining a “notification incident” has occurred and (ii) bank service providers, subject to the Bank Service Company Act (BSCA), must notify their affected customers as soon as possible when an incident occurs which may cause a disruption for four or more hours. There are three scenarios in which these “notification incidents” could invoke these notification requirements.
1. Computer-security incident
A computer-security incident is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” Here, the key word is the term “actual.” This is a change from proposed to final rule, which had also included “potential” incidents. This limits the scope of the Rule by reducing the number of false-positive incident reports. Also of note, computer-security incident does not have to be reported by a bank to its primary federal regulator unless it is also a “notification incident.”
2. Notification incident
A notification incident is “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- ability to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or
- operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
A notification incident is a very specific subset of computer-security incidents. Not only must the incident cause actual harm, but it must also do significant “material” damage to the bank’s ability to do business or pose a threat to the entire country. This determination would be made during the analysis phase of the incident response process. Banks must notify their primary federal regulator within 36 hours of determining a “notification incident” has occurred.
3. Bank service provider incident
A bank service provider incident is “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”
Due to the increasing reliance of banks on their bank service providers, subject to BSCA, this type of incident notification would allow the bank plenty of time to determine if the incident experienced by the service provider would also be classified as a “notification incident” for the bank. Bank service providers must notify their affected customers “as soon as possible” when they determine they are experiencing this kind of incident.
As to who should be notified according to the Rule, when a “notification incident” occurs, a bank is required to notify “the appropriate agency supervisory office or other designated agency contacts.” In short, work with your regulator to determine who would be best suited to receive this report.
Now, when a “bank service provider incident” occurs, the agencies require the bank service provider to notify “at least one bank-designated point of contact at each affected banking organization customer.” If a contact is not defined, the notification should be made to the bank’s CEO and CIO, or to “two individuals of comparable responsibilities.” The notification is recommended to be provided via email or telephone, but the Rule leaves this open-ended to leave room for evolving technology.
The estimated impact for this new rule on banks is “de minimis.” While these calculations do not include time spent responding to incidents, or certain compliance costs such as reviewing the rule, renegotiating bank service provider contracts, updating the Information Security Program and training personnel, it is clear the agencies believe the benefits will outweigh the costs. However, banks are encouraged to provide comments regarding actual implementation efforts and recommendations for how the agencies may be able to refine their calculations.
What you need to know
For implementation, there are three primary areas of your Information Security Program in which the final rule should be addressed.
First, banks should update their “Incident Response” policy to reflect expected behavior and state the bank will provide notice to the primary federal regulator within 36 hours of determining a “notification incident” has occurred.
Next, banks will need to update their response plan communication guidelines to document how, when, to whom and by whom notice of a “notification incident” would be provided. Additionally, banks will need to update the classification strategies and handling procedures to document how the bank plans to determine whether an incident is a “notification incident” or not.
Lastly, you need to consider your bank service providers. In all likelihood most of your contracts with BSCA applicable bank service providers include notification requirements similar to the ones expected by the new rule. In the event they do not, banks need to update the contract review process to ensure the new requirements are addressed. But keep in mind the rule requires bank service providers to “comply even where their contractual obligations differ from the notification requirement in this rule,” so to the extent there are differences with the Rule, those differences will need to be addressed.
In summary, the agencies believe the Rule “largely formalizes a process that already exists, reflecting the collaborative and open communication that exists between banking organizations and the agencies.” While any rule comes with added regulatory burden, the purpose of this rule seems to stem from a place of improving the banking industry’s resilience to the ever-growing risks of computer security incidents.