Newly Proposed Cyber Reporting Rules for Banking Organizations
Client Alert | 3 min read | 02.01.21
Last month, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (the Board), and the Federal Deposit Insurance Company (FDIC) issued a Notice of Proposed Rulemaking (86 F.R. 2299) that would require notification from banking organizations and their service providers within 36 hours of the discovery of a broad array of cybersecurity incidents that could “materially disrupt, degrade, or impair” banking operations.
The rule would fill a gap among current federal regulations—including the Bank Secrecy Act (BSA), the Gramm-Leach-Bliley Act (GLBA), and the Bank Service Company Act (BSCA)—which at present do not impose direct cybersecurity incident reporting requirements with defined deadlines on banking organizations. The federal banking authorities' Interagency Guidelines Establishing Information Security, first published in 2001, do implement sections 501 and 505(b) of the GLBA to require that a banking organization notify “its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information” (emphasis added); however, the guidelines do not impose a specific deadline for such notification, nor do they offer detailed (or updated) definitions of incidents involving either “unauthorized access” or “sensitive customer information.” The Securities and Exchange Commission (SEC) has also published its 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Release Nos. 33-10459; 34-82746), which outlines the cybersecurity incident disclosure requirements public operating companies must meet in their registration statements—though as with the Interagency Guidelines, the substance and timing of these disclosures weighs heavily on companies’ own judgment. Similarly, while certain banking organizations are required to file Suspicious Activity Reports (SARs) when they become aware of a violation of federal criminal law or a suspicious activity related to money laundering, those reports may be filed within 30 days. Notwithstanding the existing landscape, the proposed rule seeks to broaden the types of cybersecurity incidents that must be reported and improve timely notice of such incidents.
In particular, the proposed rule would require any banking organization that experiences a “computer-security incident” that meets the rule's threshold of a “notification incident” to report such an occurrence to the organization's primary federal regulator no later than 36 hours after the organization “believes in good faith that a notification incident has occurred.” The rule also would require that banking service providers (as defined under the BSCA1) notify at least two individuals at affected banking organizations upon “experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.”
The proposed rule defines “computer-security incident” broadly to include those involving both actual and “potential” harm, as well as unauthorized access. It also applies to all “information the [banking organization's information technology] system processes,” not just personally identifiable information (PII). “Notification incident” is defined more narrowly in the proposed rule, encompassing only those incidents the banking organization believes in good faith “could materially disrupt, degrade, or impair” the organization's ability to carry out either core operations, operations which would result in material loss of revenue, or operations linked to the financial stability of the United States.
Many banking organizations may already have extant cybersecurity incident reporting policies roughly in line with the obligations of the proposed rule. Similar reporting requirements have been imposed on certain banking organizations at the state level, with, for example, the New York Department of Financial Services instituting a 72-hour reporting deadline on banking organizations that experience a cybersecurity incident. These obligations exist in addition to those generated by customer-centric data privacy regulations that have been adopted by most state legislatures in some form. Moreover, in recent years, banking organizations have actively included incident reporting language in their contracts with banking customers. Nevertheless, the 36-hour reporting requirement adopted by the proposed rule would be one of the strictest federal reporting deadlines for cybersecurity incidents.
The proposed rule requests comments on 16 specific questions by April 12, 2021. Those questions include whether the definitions of “computer-security incident” and “notification incident” should be modified; whether the timelines for reporting should be altered; and whether the requirement that banking organizations and bank service providers notify the appropriate party when they “believe in good faith” that they are experiencing or have experienced a notification incident or computer-security incident is sufficiently clear. Banking organizations and their service providers should review their existing cybersecurity incident disclosure policies and procedures, and consider the breadth and degree of changes to those policies and procedures that compliance with the proposed rule would require.
1 The BSCA applies “banking service provider” to all vendors, including technology service providers, who engage in “check and deposit sorting and positing, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices and similar items, or any other clerical, bookkeeping, account, statistical, or similar functions” on the part of banking organizations. 12 U.S.C. § 1863.
Contacts
Insights
Client Alert | 3 min read | 12.13.24
New FTC Telemarketing Sales Rule Amendments
The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR.
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1