In November 2021, the Office of the Comptroller of the Currency (OCC), board of governors of the Federal Reserve System and the Federal Deposit Insurance Corporation published a final rule to establish computer-security incident notification requirements for banking organizations and their service providers. 

While most of the provisions of the new rule are consistent with the announcements from the federal bank regulatory agencies, there are minor differences. Community banks should ensure compliance with their primary federal regulator.

Q: What is a covered notification incident under the rule?

A: A computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits.

A notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s ability to carry out banking operations, activities or processes; or deliver banking products and services in the ordinary course of business.

Q: What is the computer-security incident notification requirement for community banks?

A: The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the bank determines that a cyber incident has occurred. Notification is required for incidents that meet the definition of a notification incident. A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer‑security incident.

Steven Estep
Steven Estep, ICBA

Q: Why was the new rule needed?

A: The creation of this rule is important especially in light of the existing Interagency Guidance on Response Programs.

“The rationale of regulators was to attain earlier awareness of the threats that banks are facing to allow the government to better react and help prevent cyber events or computer security events from becoming systemic across the entire sector,” says Steven Estep, ICBA assistant vice president, operational risk. “They deemed that the current interagency guidance and BSA requirements did not provide as much coverage as desired and wanted earlier awareness to get ahead of the bad guys.”

The original Interagency Guidelines Establishing Information Security Standards came from the Gramm-Leach-Bliley Act (GLBA) of 1999. While it established some structure for identifying and reporting security incidents such as data breaches, the new rule is more specific as to timeliness (“as soon as possible” compared to the “36-hour” time limit), expands beyond the traditional scope of a data breach and brings attention to any type of computer-security incident that results in actual harm.

“It is up to the bank to determine when events have reached the definition requiring notification and choosing … to notify their primary federal regulator in the desired manner.”
—Steven Estep, ICBA

Q: What are the requirements of the rule for a compliance program, content of the notification and recordkeeping?

A: “The regulators have tried to make the rule as simple as possible and manage regulatory burden,” Estep says. “There are no specific requirements for the content of the notification or requirements for a specific form of assessment or analysis of the event(s). It is up to the bank to determine when events have reached the definition requiring notification and choosing a vehicle, email or otherwise, to notify their primary federal regulator in the desired manner. The incident could still be under evaluation when the notification is sent.”

Estep notes that community banks should ensure their written policies, procedures and any other related materials have been updated to reflect the new rule and persons or departments responsible for reporting, including bank-designated points of contact for the bank’s service providers. Programs that may be affected are information security policies, incident response plans and the vendor management program, among others. The rule does not specify the consequences of non-compliance; however, it could be evaluated by regulators in the normal course of supervision.

“The rule doesn’t include recordkeeping requirements; however, it may be beneficial to document a record of the notification,” he advises. “It could serve as documentation of the bank’s compliance with the rule should issues arise in the future and as data to track or accumulate incidents for evaluation of patterns or practices.

At this time, the Cybersecurity and Infrastructure Security Agency (CISA) is writing rules for cyber incident reporting for critical infrastructure. Community banks should watch for a proposed rule later this year or early in 2024.

Because of the frequency and severity of cyberattacks on the financial services industry, the agencies believe that it is important that a banking organization’s primary federal regulator be notified as soon as possible of a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or affect the stability of the financial sector. 

While community banks have likely begun following the new rule, it is important to ensure related information in the bank and used for third-party service providers is consistent with it.