A proposed rule from a trio of federal financial regulatory agencies aims to change current reporting requirements so that financial service organizations have to notify federal regulators of a security incident within 36 hours.
The new rule expands the current requirements banking organizations and bank service providers have to follow when a security incident rises to the level of a “notification incident.” A security incident refers to any event that violates security policies, procedures, or acceptable use policies, or results in actual or potential harm to the confidentiality, integrity, or availability of an information system. A notification incident refers to any event that impairs the organization’s ability to deliver services to a material portion of its customer base, results in a material loss of revenue, profit, or franchise value, or impacts the stability of the country’s financial sector.
A notification incident may include “major computer-system failures, cyber-related interruptions, such as coordinated denial of service and ransomware attacks, or other types of significant operational interruptions.” The notification can happen orally or in writing.
If the proposed rule gets adopted, organizations would need to report incidents that are disruptive, regardless of the type or quantity of information affected. Under the new rule, large-scale distributed denial of service attacks that prevent a significant number of customers from logging into banking applications and accessing their accounts would need to be reported to the regulators. Failed system upgrades that resulted in a service outage and triggered a disaster recovery place would need to be reported. Ransomware attacks holding systems hostage would also be considered notification incidents.
The proposed rule was announced by the Department of Treasury’s Office of the Comptroller of Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation on Dec. 18. The Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers has been posted on the Federal Register and the comment period will be open for 90 days, until April 12.
Current regulations, as defined by the Bank Secrecy Act and the Gramm-Leach-Bliley Act, are “too narrow in scope to address all relevant computer-security incidents.” Organizations currently are not required to disclose incidents where sensitive customer information was not impacted. The regulators aren’t notified in a timely manner under existing rules. The Gramm-Leach Bliley Act says organizations need to notify federal regulators “as soon as possible” once aware of an incident that involved sensitive customer information. The Bank Secrecy Act requires organizations to file reports within 30 days, which is too late for agencies to do anything.
“The rule proposed by the agencies today provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur,” FDIC Chairman Jelena McWilliams said in a statement.
The proposed rule follows the model set by the New York Department of Financial Services Cybersecurity Regulation, which requires financial services institutions to report within 72 hours any security event that can result in material harm to normal operations.
If the regulators are notified soon enough, they would be able to provide assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection and help coordinate incident response and recovery efforts in cases where the incident is an isolated event. If similar incidents are occurring across multiple organizations, timely notification could allow regulators to release appropriate guidance and provide information that would allow organizations to protect themselves.
The expanded requirements would apply to “supervised banking organizations and bank service providers,” which would include national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations. Bank service providers are companies providing services such as bookkeeping, accounting, and preparing and mailing checks, statements, and notices.
With financial services organizations increasingly relying on third-party service providers to handle many of the banks operations, extending the notification requirement to these suppliers is necessary. Bank service providers have to notify “at least two individuals” at the affected bank if they experience an incident which could “disrupt, degrade, or impair” services for four hours or more.
Any information provided would be subject to the agencies’ existing confidentiality rules. Many organizations hesitate to report incidents over concerns they will be held liable for lapses in their security practices, or delay the report to have as much information as possible. The confidentiality clause may help encourage reporting.
The regulators “do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident.” An organization would take a “reasonable amount of time” to determine that a security incident should be considered a notification incident, and notify federal regulators within 36 hours after making that decision. That means regulators could be notified well past 36 hours after the incident occured—or was detected.
“This notification requirement is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident,” the proposal said.