What Banks & Credit Unions Must Know About the New Computer Security Incident Notification Rule Part 1

The OCC, Board, and FDIC released the final rule, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, on Nov. 23, 2021, which goes into effect April 1, 2022, and requires mandatory compliance on May 1, 2022. The final rule comes after the Notice of Proposed Rulemaking was published in January 2021 and opened for comment. While the rule does not directly apply to credit unions, they should be aware of pieces of the rule related to their security programs, vendor management, and communications with regulatory agencies.

The rule is one in a string of administrative and regulatory issuances and regulations tightening requirements and heightening expectations for computer and general information security. These recent issuances and rules include the SEC’s new proposal covering cybersecurity risk management requirements for advisors and funds; President Biden’s recent Executive Order on Improving the Nation’s Cybersecurity; and, of course, the infamous New York Department of Financial Services Part 500: Cybersecurity Requirements for Financial Services, which outlines the requirements for a cybersecurity program and annual cybersecurity notices. We can expect this trend to continue and for regulatory expectations to keep evolving considering the world in which we live.

New rule – wider scope than GLBA

Before digging into the final rule’s specifics, let’s first recognize your bank or credit union already has reporting requirements outlined in GLBA. As you know, GLBA requires you to notify your regulator as soon as possible when you become aware of an incident involving unauthorized access to or use of sensitive customer information. The new rule is broader and includes integrity, availability, and general confidentiality beyond GLBA’s focus on confidentiality of sensitive customer information.

The final rule requires timely notification of computer-security incidents that fit the definition of a notification incident. Yep, with new rules come new definitions. Let’s dig into what those terms mean.

A computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system or the information the system processes, stores, or transmits.

A notification incident is a computer-security incident that has materially disrupted or degraded, or is likely to materially disrupt or degrade a bank’s:

• Ability to carry out operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business.

• Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value (i.e., core business line).

• Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States (i.e., critical operations).

The terms “core business lines” and “critical operations” from the Resolution Planning rule closely mirror the definitions in the second and third bullet of the notification incident rule above. Now, the new rule doesn’t imply that banks under $50 billion in assets now need to be in compliance with the requirements of the resolution planning rule and thus formally define these terms for your institution. However, it does set the expectation that you maintain a sufficient understanding of your business and be able to identify core business lines and critical operations in order to properly identify notification incidents.

It is also important to note there is no strict definition of what would be considered material loss of revenue, profit, or franchise value, so it is up to each bank to evaluate this on a case by case basis.

As you can see, these definitions are much broader than the GLBA notification standard. For example, malware incidents not involving unauthorized access to, or use of, sensitive customer/member information would not require notification to your primary regulator under GLBA.

However, as documented in number six of the Examples of Notification Incidents found in the final rule’s supplemental information, if the bank experienced malware on a banking organization’s system that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections – regulatory notification is required.

Quick incident notification requirement

The notification timing requirement is as soon as possible and no later than 36 hours after a bank determines an incident meets the definition of a notification incident. The key here is that the timer doesn’t start after containment or after you’ve identified root cause. The timer starts as soon as you determine an incident meets the definition detailed above.

The agencies recognized in the commentary of the final rule that many commenters wanted the 36-hour notification requirement extended. While other security incident reporting requirements have longer notification timeframes (such as the NYDFS rule), they also have more prescriptive reporting requirements and filing instructions (access NYDFS’s online portal). The agencies believe given the flexibility and simplicity of the both the required content and notification method (i.e. send an email or pick up the phone), 36 hours was appropriate.

We know this rule is complex and that there is a lot of information to take in within a short amount of time. But don’t worry – we are here to help answer all of your questions. Check back soon for part 2 or contact us today.