Federal Banking Regulators Propose 36-Hour Cyber Incident Notification Obligation
On January 12, the U.S. Department of Treasury, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System issued a Notice of Proposed Rulemaking proposing a stringent requirement that all banking organizations notify their primary federal regulator of any “covered computer-security incident” as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred. Although all 50 states and the District of Columbia have enacted legislations in recent years requiring many entities in all sectors to notify affected data subjects, and in many cases, state government agencies of cybersecurity incidents, many of these state statutes do not have a specified time frame in which such notifications must be given. Furthermore, none of the state statutes that specify a time frame in which such notifications must be given requires expressly such notification in less than 72 hours and some give covered entities as long as 90 days.
A “covered computer-security incident” includes, but is not limited to: 1) large scale distributed denial of service (DDoS) attacks that disrupt consumer account access for more than 4 hours; 2) widespread system outages experienced by a bank service provider; 3) failed system upgrades or changes resulting in widespread user outages; 4) unrecoverable system failures resulting in activation of a banking organization’s business continuity or disaster recovery plan; 5) hacking incidents that disables operations for an extended period of time; 6) malware requiring disengagement of all internet network connections; and 7) ransomware attacks that encrypt core banking systems or backup data. Given this broad definition, the rule would likely encompass incidents caused by unintentional technological glitches and system failures in addition to those caused by nefarious third party activity.
The proposed rule would also require bank service providers to notify at least two individuals at its affected banking organization client immediately after identifying a covered incident it believes in good faith could disrupt, degrade, or impair services at the banking organization for four hours or longer. Bank service providers subject to this requirement can potentially include entities that provide services to depository institutions such as data processing, check and deposit sorting and posting, posting of interest or other credits and charges, and other clerical, statistical, and administrative functions.
The agencies are currently seeking public comment on the proposed rule until April 12, 2021.