On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled "Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule)," which would create accelerated notification obligations for banking organizations and bank service providers in the event of a security incident.
This would require a banking organization to notify its primary regulator no later than 36 hours after reasonably determining that a qualifying incident has occurred, and it would require a bank service provider to notify a banking organization immediately upon detecting that an incident occurred.
So, who does this rule apply to? This would apply to “Banking Organizations,” which are defined as:
For the OCC, national banks, federal savings associations, and federal branches and agencies;
For the Board, all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; Edge and agreement corporations; and
For the FDIC, all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations
This also applies to "bank service providers,” which is defined as “a bank service company or other person providing services to a banking organization that is subject to the Bank Service Company Act."
What are the proposed new obligations?
Require banking organizations to notify their primary federal regulator of certain computer-security incidents – i.e., those that qualify as a “notification incident” under the Proposed Rule – “as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.”
Require bank service providers to notify an affected banking organization customer immediately after the bank service provider experiences a computer-security incident that it "believes in good faith could disrupt, degrade, or impair the provision of services” it provides to the banking organization subject to the Bank Service Company Act (BSCA).
Require bank service providers to notify “at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to [the BSCA] for four or more hours.”
According to Fotis Konstantinidis, Managing Director at Stout, “The new proposed rule by the OCC, Federal Reserve Board and FDIC addresses the significant risks that non-timely reporting of computer security incidents poses to banking organizations. The agencies tried to strike the right balance between additional compliance burden and safety benefits. There are still open items, such as precisely defining what qualifies as a notification incident, finalizing the 36-hour time-frame for notification and determining the entities that should be added to the rule. Overall, the proposed rule does provide an additional layer of protection for banking organizations and their service providers, who would now need to adjust their security incident response plans and oversight processes.”
See how Exterro Incident and Breach Management can help you orchestrate an efficient and defensible breach response process that would allow you to comply with this newly proposed regulation.