I. INTRODUCTION
The Federal banking agencies have issued a final rule to establish computer–security incident notification requirements for banking organizations and their bank service providers.
The final rule requires a bank to notify its primary federal regulator as soon as possible and no later than 36 hours after the bank determines that a computer–security incident that rises to the level of a notification incident has occurred. The bank must provide this notification to the appropriate OCC supervisory office, or OCC–designated point of contact, through email, telephone, or other similar methods that the OCC may prescribe.
The final rule will help ensure that the OCC knows about and can respond in a timely manner to material and adverse computer-security incidents affecting banks.
II. BACKGROUND
Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as nonmalicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect a bank’s networks, data, and systems and, ultimately, its ability to resume normal operations.
In addition, banks have become increasingly reliant on bank service providers to provide essential services. Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their bank customers or have other significant impact on a customer bank.
III. DEFINITIONS
For purposes of the final rule, the following definitions apply:
(1) Banking organization means a national bank, Federal savings association, or Federal branch or agency of a foreign bank; provided, however, that no designated financial market utility shall be considered a banking organization.
(2) Bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider.
(3) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
(4) Covered services are services performed, by a person, that are subject to the Bank Service Company Act (12 U.S.C. 1861–1867).
(5) Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
IV. EXAMPLES OF NOTIFICATION INCIDENTS
The final rule includes the following non–exhaustive list of incidents that would be considered notification incidents:
1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
5. A computer hacking incident that disables banking operations for an extended period of time;
6. Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet–based network connections; and
7. A ransom malware attack that encrypts a core banking system or backup data.
V. BANK NOTIFICATION
A. Office of the Comptroller of the Currency (OCC)
A banking organization must notify the appropriate OCC supervisory office, or OCC–designated point of contact, about a notification incident through email, telephone, or other similar methods that the OCC may prescribe. The OCC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
B. Federal Reserve Board (Board)
A banking organization must notify the appropriate Board–designated point of contact, about a notification incident through email, telephone, or other similar methods that the Board may prescribe. The Board must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
C. Federal Deposit Insurance Corporation (FDIC)
A banking organization must notify the appropriate FDIC supervisory office, or FDIC–designated point of contact, about a notification incident through email, telephone, or other similar methods that the FDIC may prescribe. The FDIC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
VI. BANK SERVICE PROVIDER NOTIFICATION
A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer–security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.
· A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer.
· If the banking organization customer has not previously provided a bank–designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.
This notification requirement does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer.