As anticipated, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”). The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic. It places new reporting requirements on both U.S. banking organizations, as well as bank service providers. We have blogged repeatedly on the pernicious issue of ransomware.
The Final Rule applies to “banking organizations” as defined in the Final Rule. Covered banking organizations are required to provide notice to their relevant regulator in the event that a “Notification Incident” occurs. A Notification Incident is a computer security event that results in actual harm to the confidentiality, integrity, or availability of information or an information system, when that occurrence has—or is reasonably likely to—materially disrupt or degrade:
- a banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base;
- business line(s), that upon failure would result in a material loss of revenue, profit, or franchise value; or
- operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The Final Rule specifically calls out ransomware and DDOS attacks as potential Notification Incident. Banking organizations that suffer a Notification Incident must provide notice to their respective regulator as soon as possible, but not later than 36 hours after the occurrence of the incident. Despite the 36-hour notification window, covered banking organizations that offer “sector critical services” are encouraged to provide same day notification. Finally, the required notice should be provided either by email, telephone, or any other similar methods later prescribed by regulators for providing notice.
The Final Rule also requires that bank service providers notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has—or is likely to—materially disrupt or degrade covered services for more than four hours. Banking organizations and service providers are required to work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner. This requirement is designed to enable a banking organization to promptly respond to an incident, determine whether it must notify its primary federal regulator, and take any other measures that may be appropriate.
The Final Rule is likely to impact the operations of both banking organizations and bank service providers. Banking entities should closely review the definitions in this Final Rule to determine whether they fall within its scope. Moving forward, covered entities should expect to include relevant notification provisions in new and existing service contracts. Covered entities will also want to ensure that they create internal policies and procedures for identifying when an incident requiring notification has occurred, and what steps must be taken by whom to provide notice to relevant parties in compliance with the Final Rule.