By Ron Lefebvre, Esq.
A final rule issued by the OCC, FDIC and Federal Reserve’s Board of Governor (“Agencies”) went into effect on April 1, 2022, with a compliance date of May 1, 2022 (the “Rule”). The Rule aims to improve regulatory standards with respect to computer-security incident notification requirements for banks and their service providers. See the full text of the final rule here: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.
The Rule requires that banking organizations provide notice of any “Notification Incident” to its federal regulator as soon as possible, and no later than 36 hours after it determines that a Notification Incident has occurred. The Agencies’ stated goal is that such notification will “help promote early awareness of emerging threats to banking organizations and the broader financial systems.”
The Rule defines a Notification Incident as follows:
“a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Stated simply: a Notification incident a computer-security incident that the banking organization determines is reasonably likely to result in a material, adverse effect on its services or operations. The Rule provides several examples of an event which would rise to this level, including – a computer hacking incident, malware attack, or large-scale distributed denial of service (DDOS) attack; system outages caused by failed system updates or upgrades; and widespread outages experienced by bank service providers.
The Rule also requires bank service providers to notify each of its affected banking organization clients, via designated points of contact, as soon as possible when it determines that it has experienced a “Computer-Security Incident” that is reasonably likely to materially disrupt or degrade its services to its clients for four or more hours. The Rule defines Computer-Security Incident as “an occurrence that results in actual harm to the confidentiality, integrity, or available of an information system or the information that the system processes, store, or transmits.” This definition, standing alone, is quite general – it is up to bank service providers to determine whether or not a Computer-Security Incident is reasonably likely to result in service disruptions such that notice is required.
Notably, there is no prescribed timeline for banking service providers to notify its clients – the Rules simply provides that such notification must occur as soon as possible. The Agencies indicate in the Rule that in most cases they do not believe that a 36 or more-hour delay in such notification would be appropriate or necessary. The Agencies further acknowledge that the Rule’s notification requirement is likely at least partially duplicative with the requirements contained in the banking service providers’ contract(s) with its client(s). The Rule makes clear that banking service providers must comply with the Rule, even where their contractual obligations differ from the notification requirements of the Rule. That being said, the Rule is not expected to add significant burden on banking services providers, due to the prevalence of comparable notification-requirements in the relevant contracts.
YMFZ represents a number of Software as a Service (SaaS) providers in the financial and healthcare sectors and provides guidance on data security issues.