New Cybersecurity Rulemaking Proposed for Banking Industry
On January 12, 2021, financial regulators jointly published a new notice of proposed cybersecurity rulemaking for the banking industry. See Federal Register publication here. The three regulators are the Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation. The proposal is aimed at promoting the safety and soundness of banking industry and requires enhanced notifications of cybersecurity incidents related to certain criminal and noncriminal behavior. The public may submit comments through April 12, 2021.
Among its key provisions, the proposed rule would:
- Expand existing notification requirements to “computer-security incidents” that endanger operations—even if no breach, unauthorized access, or exfiltration occurred and even if the incident is not caused by criminal behavior.
- Require banking organizations to notify its primary federal regulator within 36 hours after a banking organization believes in good faith that a “notification incident” has occurred.
- Require “bank service providers” to give notification to at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.
The proposed rule is a significant change from existing requirements. Under current regulations, banks and financial institutions must notify their primary federal regulator “as soon as possible” after a cyber breach or other security incident. The proposed rule requires notice no later than 36 hours after the organization believes in good faith that the incident occurred.
Notification to Regulators
The proposed rule expands existing notification requirements to any major “computer-security incident”—whether caused by criminal behavior or not. Major “computer-security incidents” are those that could “jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.” In other words, privacy and unauthorized access to consumer and confidential information are not the only relevant issues.
Criminal behavior like hacking, malware, ransomware, denial of service attacks, and other cybercrimes can seriously impair an institution’s ability to provide service and can degrade the functioning of the entire industry. So it stands to reason that regulators require quick notice of cyberthreats and attempted cyber-breach incidents that potentially threaten a banking organization’s operations. But cybercrime is not the only threat to a financial institution’s ability to conduct business operations and provide consumer services. That is one reason the proposed rule expands notice requirements to non-criminal security incidents.
Under the proposed rule, a “notification incident” is defined with respect to an organization’s “core business” and “critical operations.” Specifically, a “notification incident” is one that could materially disrupt, degrade, or impact:
- The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
- Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The proposed rule includes the following non-exhaustive list of events that would be considered “notification events”:
- A large-scale distributed denial of service attack that disrupts customer account access more than four hours;
- A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
- A failed system upgrade or change that results in widespread user outages for customers and bank employees;
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
- A computer hacking incident that disables banking operations for an extended period of time;
- Malware propagating on a banking organization’s network that requires the banking organization to disengage all internet-based network connections; and
- A ransom malware attack that encrypts a core banking system or backup data.