US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a "computer-security incident" that rises to the level of a "notification incident." The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify "at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours."

Who would be affected?

Banks

• For the OCC, "banking organizations" would include national banks, federal savings associations, and federal branches and agencies.
• For the Board, "banking organizations" would include all US bank holding companies and savings and loan holding companies; state member banks; the US operations of foreign banking organizations; Edge and agreement corporations.
• For the FDIC, "banking organizations" would include all insured state nonmember banks, insured state-licensed branches of foreign banks and state savings associations.

Bank service providers, under the Bank Service Company Act (12 U.S.C. §§ 1861–67)

Bank services that are subject to the BSCA include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution," as well as components that underlie these activities. Other services that are subject to the BSCA include data processing, back office services, and activities related to credit extensions, as well as components that underlie these activities.

What would be a "computer security incident" under the proposed rule?

The proposed rule would add a definition of "computer security incident" to each agency's regulations that would read:

an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Most importantly, note that this definition is NOT limited to personal information. In addition, the agencies pointed out that "not all 'computer-security incidents' require a banking organization to notify its primary federal regulator; only those that rise to the level of 'notification incidents' require notification. Other computer-security incidents, such as a limited distributed denial of service attack that is promptly and successfully managed by a banking organization, would not require notice to the appropriate agency."

What would be a "notification incident" under the proposed rule?

The proposed rule would add a definition of "notification incident" to the regulations. The term "notification incident" would mean that a banking organization believes in good faith a computer security incident" could materially disrupt, degrade, or impair—

• the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
• any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit or franchise value; or
• those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The agencies also provided several "non-exhaustive" examples of what they considered to be "notification incidents":

1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
3. A failed system upgrade or change that results in widespread user outages for customers and bank employees;
4. An unrecoverable system failure that results in activation of a banking organization's business continuity or disaster recovery plan;
5. A computer hacking incident that disables banking operations for an extended period of time;
6. Malware propagating on a banking organization's network that requires the banking organization to disengage all Internet-based network connections; and
7. A ransom malware attack that encrypts a core banking system or backup data.

The agencies also added a catch-all: "The agencies expect that banking organizations would consider whether other significant computer-security incidents they experience, beyond those listed above, constitute notification incidents for purposes of notifying the appropriate agency."

When would the 36-hour clock start?

Once the bank has determined that a notification incident has occurred. More specifically,

The agencies do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident. Rather, the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. In this context, the agencies recognize banking organizations may not come to a good faith belief that a notification incident has occurred outside of normal business hours. Only once the banking organization has made such a determination would the requirement to report within 36 hours begin.

What would be the timeline for service providers? Who would be notified?

Similar to state data breach laws, service providers would not be obligated to report directly to the regulators, but would instead be required to report to the bank(s) with which they contracted to provide service. The regulators had several interesting proposals in this area:

Under the proposed rule, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. A bank service provider would not be expected to assess whether the incident rises to the level of a notification incident for a banking organization customer. The banking organization would be responsible for making that determination because a bank service provider may not know if the services provided are critical to the banking organization's operations. If, after receiving such notice from a bank service provider, the banking organization determines that a notification incident has occurred, the banking organization would be required to notify its primary federal regulator in accordance with this proposed rule. . . .

****

The agencies believe that it is practical for a bank service provider to immediately notify at least two individuals at their affected banking organization customers after experiencing a computer-security incident of the severity described in the proposed rule because the notice would not need to include an assessment of the incident, and the agencies observe that there are effective automated systems for doing so currently. The agencies expect only that bank service providers would make a best effort to share general information about what is known at the time. Regulators would enforce the bank service provider notification requirement directly against bank service providers and would not cite a banking organization because a service provider fails to comply with the service provider notification requirement.

(emphasis added)

What would be required in the notice?

General information that is known at the time of notification. The regulators stated that "no specific information is required for the notice, and the proposed rule does not include any prescribed reporting forms or templates." In addition, "the notice could be provided through any form of written or oral communication, including through any technological means (e.g., email or telephone), to a designated point of contact identified by the banking organization's primary federal regulator (e.g., an examiner-in- charge, local supervisory office, or a cyber-incident operations center)." Importantly, that notice "and any information provided by a banking organization related to the incident, would be subject to the agencies' confidentiality rules."

Comments on the proposal

The regulators have indicated that they are seeking comments on the proposal as well as on several questions included in the notice. Among those questions are

• Should the definition of "computer security incident" include only occurrences that result in actual harm or actual violation of security policies, security procedures, or acceptable use policies?
• How should the 36-hour timeframe for notification be modified, if at all, and why? Should it be made shorter or longer?
• Do existing contracts between banking organizations and bank service providers already have provisions that would allow banking organizations to meet the proposed notification incident requirements? The agencies are seeking information on how bank service providers currently notify banking organizations of service disruptions under existing contracts between bank service providers and banking organizations.
• The agencies invite comments on specific examples of computer-security incidents that should, or should not, constitute notification incidents.

The comment period will commence upon publication in the Federal Register and extend for 90 days.