US Cyber ​​Regulations: Banking Standards

0
1
US Cyber ​​Regulations: Banking Standards

United States:

U.S. Cyber Regulations Expand: Banking Agencies Approve New Incident Notification Requirements

Manatt, Phelps & Phillips LLP

To print this article, all you need is to be registered or login on Mondaq.com.

Story Highlights

  • 25 November 2021

On November 18, the Office of the Comptroller of the
Currency, the Federal Reserve and the Federal Deposit Insurance
Corporation (FDIC) adopted a rule that will require banking
organizations and their bank service providers to give notice
of certain computer-security incidents. FDIC Chairman Jelena
McWilliams noted that the rule “addresses
a gap in timely notification to the banking agencies of the most
significant computer-security incidents affecting banking
organizations.” Like many other rules governing the
banking system, the federal prudential banking regulators
adopted substantively identical versions of the rule. This new
rule reflects continued efforts by federal regulators to update the
regulations governing security controls for financial institutions:
In October, the FTC recently updated its separate Safeguards Rule
to require (among other things) encryption at rest and in transfer,
multi-factor security or more secure equivalents, and secure
development practices. The Safeguards Rule is applicable to
financial institutions under FTC jurisdiction, rather than that of
the federal prudential banking regulators or another regulator, and
indirectly their service providers.

Why This Matters:

Although financial institutions have long been informally
expected to share security threats and incidents with their federal
prudential banking regulators, the rule creates a new
urgency around incident notifications and
express regulatory obligations in support
of that expectation. Beginning May 1, 2022, banking
organizations and their service providers will have to comply
with new notification requirements: A banking organization
will need to inform its federal prudential regulator within 36
hours of determining a certain type of security
incident occurred, and a banking organization’s service
provider will have to inform the banking organization of
certain types of incidents as soon as possible.  Requirements for Banking Organizations:

Banking organizations must notify their primary
federal regulator of a “notification
incident” no later than 36
hours after determining that a notification incident
has occurred. Notice can be made by email, phone or similar methods
prescribed by the prudential banking regulator for that
banking organization. Thirty-six hours is a quick turnaround-half
the time allowed by the similar requirement imposed in the New York DFS Cybersecurity Regulation. For a notification incident to occur, a banking
organization must experience “actual harm to the
confidentiality, integrity, or availability of an information
system or the information that the system processes, stores, or
transmits” and the incident must
have “materially disrupted or degraded, or is
reasonably likely to materially disrupt or degrade,” a banking
organization’s (i) ability to carry out operations or
deliver products and services to a material portion of its
customers; (ii) business lines that, if failed, would result
in material loss of revenue, profit, or franchise value; or
(iii) operations that, if failed or
discontinued, would pose a threat to the financial
stability of the United States. Notably, there is no
requirement that the incident result in actual or potential
exposure or acquisition of customer information; those separate
incidents remain subject to the existing Interagency Guidelines Establishing Information
Security Standards. (The FTC’s separate Safeguards Rule for
FTC-regulated financial institutions has not included a
notification requirement for misuse or exposure of customer
information. As part of its decision to approve updates to the
Safeguards Rule, the FTC proposed requiring notification in case of
security incidents in which “the misuse of customer
information has occurred or is reasonably likely, and at least
1,000 consumers have been affected or reasonably may be
affected.” This will help bring the Safeguards Rule’s
protections closer to the Interagency Guidelines’ existing
breach notification requirements for financial institutions
regulated by the federal prudential banking regulators.)

Requirements for Service Providers: Unlike the strict notification time frame for banking
organizations, service
providers are required to notify the affected
banking organization “as soon as possible” once
the provider has determined it has experienced a
computer-security incident that has “materially disrupted or
degraded, or is reasonably likely to materially disrupt or degrade,
covered services provided to such banking organization for four or
more hours.” Covered services are those performed by a
person subject to the Bank Service Company Act. As adopted,
the rule provides service providers with some space to make
the determination, requiring notification “as soon as
possible,” rather than the proposed “immediately,”
which would have been a tough-if not impossible-standard to
meet. As the regulators note, “immediate notice may leave no
time lapse ‘between when a computer-security incident occurred
and when notification has to happen.’”

Practical Implications:
Banking organizations have a short window to make
notice upon determining a notification incident
occurred. Once effective, the rule will impose
one of the shortest notification time frames in the United States
(36 hours). While this time frame is not triggered until the
banking organization determines a
notification incident occurred-a change from the initial proposal
to start the clock at a “good faith
belief”-the short window means that entities will
need to have their ducks in a row at the time that the
determination is made. For example, entities should establish clear
processes and procedures for quickly evaluating the
severity of a compromise of the confidentiality, integrity
or availability of a computer system or the information in
it.

The rule is intended to address material
incidents, such as ransomware or major computer-system
failures. The federal prudential banking
regulators intentionally narrowed the definition of
computer-security incidents and declined to incorporate
the National Institute of Standards and Technology
(NIST) version. “Actual harm” to an
information system or information contained within it is
required in order for an incident to qualify as a
computer-security incident. In response to comments, the
federal prudential banking regulators removed internal policy or
procedure violations as a notification trigger. As
the federal prudential banking regulators explain in adopting
the rule, “[t]hese changes narrow the focus of the final
rule to those incidents most likely to materially and adversely
affect banking organizations.” To those regulators,
the types of incidents they are concerned with are “major
computer-system failures, cyber-related interruptions, such as
distributed denial of service and ransomware attacks, or other
types of significant operational interruptions,” and they
looked to ransomware, trojan, zero day, and similar types of
attacks to evaluate the likely number of annual events resulting in
notification. In fact, Chairman McWilliams explicitly
acknowledged that the rule seeks to avoid
“unnecessarily difficult or time-consuming reporting
obligations.”

Although the final criteria for notifiable
incidents are narrower than originally proposed, the
requirements are potentially broader than existing state breach
notification laws. Notwithstanding the well-intended
efforts to limit requirements to the “most significant
cyberattacks,” the rule
likely requires notice for incidents that would not
trigger notification under existing state laws because the
rule’s definition of notifiable incidents is based on
impacts to systems and not
unauthorized access to or acquisition of consumer personal
information. For example, the federal prudential banking
regulators provide (non-exhaustive) examples
of computer-security incidents that would meet the
threshold of a “notification
incident,” including “large
scale distributed denial of service attacks that disrupt
customer account access for an extended period of time (e.g.,
more than 4 hours).” Under the rule, security events
that organizations once may have addressed through a
strategic “systems outage” communication may
now evoke a legal obligation to notify federal regulators.
Entities subject to the New York DFS
Cybersecurity Regulation will need to evaluate security
incidents carefully, as in some cases
that state regulation may be broader (for
example, when faced with unsuccessful attempts) and in other
cases the new federal rule may be broader (for
example, for incidents that could pose a threat to the
financial stability of the United States but are unlikely to
materially harm a material part of the entity’s normal
operations). Based on the regulators’ explanations
accompanying publication of the rule, ransomware and major
computer-system failures will likely require notification-even if
no customer information is affected.

Addressing security requirements in contracts
continues to be critical. In addition
to mandating notification
requirements for service providers, the rule
introduces very
specific methods for providing that notice.
The implied effect of those requirements is that regulators
expect service provider contracts to address security requirements,
including notification protocols, to the extent they do not
already. The practical effect of the rule means
that if the applicable contract fails to incorporate those
provisions, service providers may be forced to
escalate security events to the highest members of their
customer organizations (i.e., the CEO).
Such compulsory escalation can create challenges,
inefficiencies and unnecessary strain for both
service providers and banking organizations,
which could be avoided by appropriately addressing
security considerations in applicable contracts.

Assuming existing contractual provisions between
the banking organization and its third-party service
providers adequately address security
incident obligations, this flow-down obligation may not
have significant practical consequence, except on a banking
organization’s separate obligation to ensure its
service providers’ ongoing compliance with applicable
law. The cumulative impact of the changes to the federal
regulatory framework may have greater impacts on the third-party
service providers who support both banking organizations and
FTC-regulated financial institutions, as the revisions to the
Safeguards Rule impose further specific controls on security, such
as encryption and multi-factor security noted above. Notice must be given to a bank-designated point of contact,
if previously provided, or to the bank’s chief executive
officer and chief information officer (or comparable roles) in
cases where the bank has not provided a point of contact.
Notification is not required for any scheduled maintenance, testing
or software updates that have been previously communicated to the
banking organization.