Financial regulatory agencies are mulling over a potential rule change that would mandate banks reach out to supervisory regulators in the event it experiences a data breach.
The rule was recently announced by the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC).
The proposal, formally Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (.PDF) was published in the Federal Register on Tuesday. As part of the proposal, supervised banking organizations would be required to notify their primary federal regulator of any computer security issue as soon as possible and no later than 36 hours after it determines it happens.
How to define when an incident is worth reporting can of course be a topic of debate. According to the text of the proposal, a bank would have to come to a "good faith" belief that a notification incident has occurred; the proposal defines this as something that could either disrupt, degrade, or impair services - subject to the Bank Service Company Examination Coordination Act (BSCA) - for four or more hours.
Notification incidents are required if the following services are affected:
- the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit or franchise value; or
- those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
In addition, the notice says the bank service provider would also have to notify "two individuals at affected banking organization customers" under the same circumstances.
“The proposed rule would establish a significant computer-security incident notification requirement, which would support the safety and soundness of entities supervised by the agencies,” the proposal reads.
The regulators are aligning the term computer security incident with the National Institute of Standards and Technology's (NIST) definition, meaning that any "occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies" could be defined as one.
The Federal Reserve, FDIC, and the Department of the Treasury gave examples of computer security incidents including computer-system failures, cyber-related interruptions, like a denial of service or ransomware attack, or any other type of significant operational interruption.
Because it was just published in the Federal Register today, the OCC, Board, and FDIC are inviting comment on the proposal for the next 90 days, or until April 12, 2021.
As it is a proposal, none of these requirements are set in stone just yet. The proposal asks how computer security incidents and notification incident should be defined, if the 36-hour window should be changed, and so on. Further questions on the proposed rule can be found in the Federal Register document.
It's been 15 years since there's been federal guidance around an organization's responsibility to report unauthorized access to systems.
It was back in 2005 that Federal Financial Institutions Examination Council (FFIEC) agencies were urged to notify their primary federal regulator if there's been an incident involving unauthorized access or use of sensitive customer information. That guidance stems from section 501(b) (3) of the Gramm-Leach-Bliley Act (GLBA). Banking organizations can also report instances of disruptive cyber events through Suspicious Activity Reports (SARs). While there are rules on reporting access of customer data, there's nothing explicit regarding incidents in which no customer data is exposed.
