What Banks & Credit Unions Must Know About the New Computer Security Incident Notification Rule Part 2

In part one of this blog post, we gave you an in-depth look into the new Computer Security Incident Notification Rule. This is the rest of the story…

The final Computer Security Incident Notification rule notes many commenters requested exclusions that did not make the final rule. Things like excluding certain types of systems (those used for marketing or personnel purposes, for instance) or short-natured incidents.

The agencies ultimately decided against adding exclusions because they did not want to miss being notified on the most significant computer-security incidents. The agencies believe focusing on the material adverse effects of a computer-security incident is a simpler and clearer way to ensure they are made aware of all significant events. Therefore, all your systems are subject to this notification requirement.

Another important portion of the rule is the requirement for bank service providers to notify a designated point of contact at the bank when they, the service provider, experience computer-security incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, covered services provided to you for four or more hours. Covered services are those covered by the Bank Service Company Act which include:

• check and deposit sorting and posting;
• computation and posting of interest and other credits and charges;
• preparation and mailing of checks, statements, notices and similar items;
• other clerical, bookkeeping, accounting, statistical, or similar functions, such as data processing, internet banking, or mobile banking services.

This coverage is intended to encompass service providers and services that have the potential to cause a notification incident for their banking customers. The agencies acknowledged that most contracts or services agreements require such a notification, but still felt it was important enough to warrant an independent regulatory requirement to ensure consistency and enforceability.

As banks and credit unions often use similar vendors, credit unions may benefit from this requirement by getting better and more timely notification from vendors. If you’re a credit union, discuss the new rule with your service providers to ensure you are included in these notifications (if impacted) alongside your bank peers.

Tips for Implementing your Regulatory Change Management Program

Whenever there’s a regulatory change, there is always a lot to take in. And that can be intimidating. You probably have a lot of questions floating around in your mind, like:

• What will the examiners focus on during our next exam?
• How will they interpret the rule’s requirements?
• How will they enforce the rule?

Luckily, our industry is no stranger to regulatory change. Time to break out that Regulatory Change Management Program again and put it into practice. Here are some tips to get you started:

• Ensure key personnel understands the directives of the rule and how it impacts your institution.
• Update incident response plans to include the definition of a notification incident and a requirement to assess incidents against this rule.
• Identify parties with the authority to determine a notification incident has occurred (remember, determining an incident meets the definition of a notification incident is what starts your 36-hour clock).
• Revise your incident communication plan to identify the party(ies) responsible for notifying your regulatory agency. Include contact information for the regulatory agency and your bank’s preferred method for notifying – email, call, etc.
• Socialize the changes to policies, procedures, and processes with affected parties. Highlight individual roles and responsibilities to ensure compliance.
• Identify and update other affected program collateral including policies, procedures, and training materials.
• Contact covered service providers to ensure they are ready for, or in compliance with, the rule’s requirements. Validate the appropriateness of the ‘designated point of contact’ each provider has on file.
• Update your vendor management program to incorporate this new requirement into contract and service agreement reviews for covered service providers.
• Maintain documentation related to the assessment of incidents against the definition, timing of notifications, and other pertinent information that proves compliance with the rule’s requirements.
• Continue to assess the effectiveness of your program and make refinements as needed.
• Discuss expectations with your examiners.
• Be on the lookout for communications from your agency. Just this week the OCC issued this bulletin to detail how banks can notify the agency to satisfy the incident notification requirements.

What Credit Unions Should Know

While credit unions are not covered under this rule, they are subject to the GLBA reporting requirements. An article on NCUA’s website updated in November 2021 (after the final rule was issued for banks) notes credit unions can opt to notify the NCUA Regional Director of information security-related events outside the scope of the GLBA requirements. The agency stated they will accept any notification and they encourage communication on all concerns.

Additionally, as previously mentioned, credit unions should consider requiring covered service providers to institute the same notification procedures they do for banks.

We know that is a lot to take in. As your partner, DefenseStorm is here to support your compliance with the new rule. Learn more by contacting us today.