US banks must now report hacks within 36 hours | Akin Gump Strauss Hauer & Feld LLP
Banking regulators from the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of Currency jointly announced a new rule requiring banking organizations in the United States to notify regulators no later than 36 hours after identifying a cybersecurity breach that could significantly disrupt banking operations. According to the final rule, such an incident could include large-scale distributed denial-of-service (DDoS) attacks that disrupt customers’ access to their accounts and hacking incidents that disrupt a bank’s operations for an extended period of time. . The final rule also imposes separate notification requirements on companies that provide services to banks, such as data processors.
The rule is expected to come into effect on April 1, 2022, with a compliance date of May 1, 2022.
Reporting requirements of banking organizations
The new 36-hour deadline is triggered when a bank experiences a “computer security incident” that reaches the level of a “notification incident”. 1
While not limited to cyberattacks that expose personal information, not all computer security incidents will trigger the reporting requirement. A “computer security incident” is defined as an incident that “results in a real breach of the confidentiality, integrity or availability of an information system or of the information that the system processes, stores or transmits”.2 A bank is only required to notify its regulator if it experiences a computer security incident that reaches the level of a “notification incident”. Notification incidents are computer security incidents that disrupt or degrade, or are reasonably likely to disrupt or degrade:
- Ability to engage in banking transactions, activities or processes, or ability to provide banking products and services to a significant portion of its customer base, in the normal course of business.
- Line(s) of business, including related operations, services, functions and support, which, if failed, would result in a material loss of revenue, profits or franchise value.3
- Operations, including related services, functions, and support, if any, the failure or termination of which would pose a threat to the financial stability of the United States.4
Once a banking organization determines that a notification incident has occurred, it has 36 hours to notify its federal regulator by email, telephone, or similar method. The final rule notes that regulators realize that after a banking institution experiences a computer security incident, it may take time to determine whether the incident rises to the level of a notification incident.5 The 36-hour countdown therefore only begins after such a determination.
Banking Service Provider Reporting Requirements
Under the final rule, banking service providers include banking services companies or other persons who provide services covered by the Banking Services Companies Act (BSCA), but not designated financial market utilities. , which are separately regulated by the Federal Reserve. Fintech companies could unwittingly fall under this provision since banks are not required to notify their suppliers whether they qualify as banking service providers. FinTechs should therefore inquire with their banking counterparties whether they have been identified as a banking service provider in any correspondence with a banking regulator and confirm whether they are subject to the BSCA and, therefore, to this new obligation of 36 hours notice.
For banking service providers, the notification requirement is triggered once the service provider determines that it has experienced a computer security incident that “has significantly disrupted or degraded, or is reasonably likely to significantly degrade” the covered services provided to a banking organization for four hours or more. This notification must be made “as soon as possible” by e-mail or by telephone to at least one contact point designated at each of its customers of the banking organizations concerned.6 This requirement is effective regardless of any different notification requirements a banking service provider might have under a contractual provision.
The final rule excludes scheduled testing, maintenance, and software updates that service providers have notified their customers in advance. However, if the planned maintenance, testing or update goes beyond what was communicated to the banking organization’s customer and meets the notification standard, this exception does not apply.
This final rule is a significant departure from the proposal opened for public comment earlier this year, with the 36-hour time frame replacing “immediate” notification, as well as a more tailored definition of “computer security incident which gives rise to a “notification incident”. The April 1, 2022 effective date and May 1, 2022 compliance date reflect requests for more time to implement the rule.
1 Treasury Department, Federal Reserve System, Federal Deposit Insurance Corp., Computer Security Incident Notification Requirements for Banking Organizations and their Banking Service ProvidersFinal Rule (November 18, 2021), available at https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20211118a1.pdf.
2 ID. at 19 years old.
3 The final rules state that banking organizations must assess this loss to determine if it is material to the organization as a whole. ID. at 51 years old.
4 ID. at 58-59.
5 ID. at 32 years old.
6 ID. at 70 years old.