The war in Ukraine has financial institutions on high alert for cybersecurity threats. Now, financial institutions and their service providers must also meet new obligations for reporting on computer-security incidents when they occur. In this guest column by Jeffrey Taft and Matthew Bisanz of Mayer Brown's Financial Services Regulatory & Enforcement practice, learn more about how to be ready for compliance.
Banking Computer-Security Incident Notification Requirements Take Effect
New Rule Outlines Computer-Security Incident Notification Obligations for Banks
Financial institutions and their service providers should prepare to meet new computer-security notice requirements by May 1, 2022.
You might also like this webinar, "Russian Sanctions: Impact, Implications, and Best Practices."
On April 1, 2022, new computer-security incident notification requirements for banks and their service providers take effect in the United States. The new requirements expand and clarify existing notification obligation of financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the new requirements obligate service providers to notify their financial institution customers in the event of the occurrence of certain computer security incidents. Financial institutions and service providers should revise their incident response and business continuity procedures to ensure that they will meet these new requirements when compliance is required on May 1, 2022.
Historically, the federal banking regulators required financial institutions to file two types of reports for certain cybersecurity incidents. First, under the safeguarding authority of the Gramm-Leach-Bliley Act, certain financial institutions have been required to notify their federal regulator of incidents (including cybersecurity incidents) involving unauthorized access to sensitive consumer information. Second, under the reporting requirements of the Bank Secrecy Act, certain financial institutions are required to report incidents involving suspicious activity.
Separately, states have moved in recent years to impose broader cybersecurity incident reporting requirements on state-regulated financial institutions. For example, the New York Department of Financial Services requires institutions that it regulates to report certain cybersecurity events to the agency within 72 hours. Similar requirements have been imposed by some state insurance regulators as part of their adoption of the NAIC Insurance Data Security Model Law. These state laws are in addition to the consumer breach notification laws adopted by all 50 states and the District of Columbia, which may require notification to a state agency as well as the consumers
The notification requirements impose obligations on financial institutions and their service providers. For these purposes, a financial institution includes a national or state bank, a savings association, an Edge or agreement corporation, a U.S. branch or agency of a foreign bank, and a bank or savings and loan holding company. The federal banking regulators confirmed in the preamble to the new requirements that nonbank subsidiaries of financial institutions generally are not required to provide notice, unless they otherwise fall with the definition. A covered financial institution does not include credit unions.
Financial institutions and computer-security incident notifications
Financial institutions are required to notify their appropriate federal regulator of a “notification incident” as soon as possible and no later than 36 hours after the institution determines that a reportable event occurred. This is shorter than the reporting deadline established by other regulators, such as the New York Department of Financial Services.
The notification may be provided in written or oral form (including email or telephone) and may be made to the institution’s designated point-of-contact at the federal regulator. The notification should convey whatever general information is known to the institution regarding the incident but does not need to be made using a specific form or format.
When a computer-security incident notification is required
A “notification incident” is a computer security incident that has materially disrupted or degraded:
The ability of the institution to carry out banking operations, activities or processes or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
Any business line of an institution, including associated operations, services, functions and support, and the incident would result in a material loss of revenue, profit or franchise value; or
Those operations of an institution, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
While the definition is broad, there are materiality qualifiers that could limit its applicability to a small subset of incidents. A “computer security incident” is further defined as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” This is narrower than the definition in the proposal, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Stay up to date with cybersecurity issues.
However, the federal regulators have emphasized that the definition of a computer security incident remains broad and can include non-malicious occurrences, such as the failure of hardware and software and personnel errors.
Service providers and computer-security incident notifications
A service provider is any person or entity who performs services for a financial institution that are subject to the Bank Service Company Act. This can include an affiliate or another financial institution that provides covered services. While the new requirements do not further define the services that are subject to that law, the federal regulators arguably have abandoned their expansive position that covered services could include components that underlay other covered services.
The new requirements explicitly obligate a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours. A service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution’s chief executive officer and chief information officer (or two individuals of comparable responsibilities). To ensure that notices are directed to the correct persons for immediate action, financial institutions should consider establishing a monitored email address and including this email address in their contracts with service providers.
While many existing service provider contracts already include incident-reporting provisions, these new requirements apply to service providers regardless of the content of a contract with the financial institution. Further, the new requirements do not abrogate contracts that contain more stringent incident-reporting provisions.
The new requirements become effective on April 1, 2022, but compliance is not required until May 1, 2022. Financial institutions and their service providers should use the remaining month to review their incident response policies and playbooks to ensure that they address the new requirements discussed above. While it is likely that they already have procedures for identifying and reporting a wide range of incidents, the relevant thresholds, timing, and report formats vary across regulators and jurisdictions. Accordingly, financial institutions and service providers may need to add provisions addressing these new requirements. Furthermore, financial institutions may want to establish a monitored email address for notice and include it in contracts to ensure timely receipt of these notices from service providers.
Additionally, service providers should consider how they will go about notifying financial institution customers. For some service providers, it may be more efficient to agree to a designated point of contact in advance to avoid the scramble of finding contact information for a customer’s chief executive officer and chief information officer during an incident. Approaches will vary across service providers, particularly those with larger and more complex business operations, but should be thought through now.
About the authors
Jeffrey Taft is a leader of Mayer Brown's Financial Services Regulatory & Enforcement practice, where he advises financial institutions on bank regulation, bank receivership and insolvency issues, payment systems, consumer financial services and cybersecurity/privacy issues. Matthew Bisanz is a partner in Mayer Brown's Financial Services Regulatory & Enforcement practice, where he advises financial institutions on all major aspects of the operations of an insured depository institution, its affiliates, and its partners. Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. To learn more, please visit us at: Mayer Brown: Cybersecurity & Data Privacy.