The three primary banking regulators have issued a new rule effective April 1, 2022, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”(“Notice Requirement”).1 Complying with the new rule should be relatively easy, but a deeper consideration of the associated obligations should prompt a bank to review its computer-security incident response plan, policies, procedures, and cyber-risk insurance coverage.
Notice Requirement
The Notice Requirement is intended to promote a bank providing timely notice to its primary regulator when the bank experiences a computer-security incident that materially and adversely affects the bank or bank holding company supervised by the Federal Reserve, OCC, or FDIC. The rule generally applies to banks and entities subject to the Bank Service Company Act (“Banking Service Provider”).
Bank Service Provider Obligation
A Bank Service Provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the Bank Service Provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. The reporting requirement does not apply to any scheduled maintenance, testing, or software update previously communicated to the bank. A computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
The bank is obligated to evaluate the impact of computer-security incidents occurring within its own systems or the systems of a Bank Service Provider and determine whether the incident constitutes a “Notification Incident.”
Bank Obligations
The bank is obligated to evaluate the impact of computer-security incidents occurring within its own systems or the systems of a Bank Service Provider and determine whether the incident constitutes a “Notification Incident.” A Notification Incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade a banking organization’s:
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would threaten the financial stability of the United States.
The bank is obligated to notify its primary regulator as soon as possible but no later than 36 hours after it determines that the computer-security incident constitutes a notification incident. The preferred method of contact will be provided to the bank by its regulator.
Updating Your Computer-Security Incidence Response Plan
Based on 2019 and 2020 data, the agencies have estimated that at least 3% of banks will need to report a computer-security incident each year but acknowledge the number could grow. Given the potential disruption and expense related to computer-security incidents, this is a significant risk for a community bank.
The 36-hour notice requirement highlights the bank’s responsibilities to move quickly after discovering a computer-security incident and assess the incident’s likely impact even if the incident flows from a third-party vendor. Banks should not generally assume that third-party vendors such as core processors will take the lead on computer-security incidents.
Banks bear ultimate responsibility for responding to incidents that impact their customers and safe and sound banking operations. Incidents require rapid coordination of internal and external resources to address some or all the following actions:
- Detect a computer-security incident;
- Analyze and document the incident;
- Prioritize the incident for further action;
- Notify appropriate parties;
- Choose a containment strategy;
- Gather and preserve evidence;
- Eradicate the threat;
- Recover systems, and;
- Conduct a post-activity assessment.
Without advanced planning, the computer-security incident response process can be far too complex to accomplish. In addition, there are potentially significant costs associated with incident response, including third-party vendor costs, lost productivity, ransomware demands, and business interruption.
Cyber-insurance is an increasingly necessary risk mitigation tool that should be integrated into the computer-security incident response plan. Cyber-insurance policies are complex contracts that do not generally follow a standardized form. The terms should be negotiated in the context of the bank’s overall incident response plan.
The computer-security risk environment suggests that even with robust prevention measures in place, banks are exposed to the potential for computer-security incidents requiring rapid, costly, and coordinated action. With proper planning, clearly understood and documented roles and responsibilities among vendors, and appropriate insurance, banks can substantially mitigate the potential disruption stemming from computer-security incidents.
1 “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, 86 FR 66424, (November 23, 2021).
Mark Mangano is counsel with Jackson Kelly PLLC. Mark is a former bank CEO with over twenty-five years of leading a financial institution and ensuring regulatory compliance. Mark’s practice focuses on banking regulatory issues, mergers and acquisitions, strategic planning consulting, and corporate governance advising.
You can contact Mark at Mark.mangano@jacksonkelly.com or 304-284-4104.
