US banking regulators propose a rule for 36-hour notice of breach

On December 18, 2020, the US Department of the Treasury (Office of the Comptroller of the Currency), Federal Reserve and Federal Deposit Insurance Corporation (FDIC) jointly announced a 53-page proposed rule that would require banks to notify their regulators within 36 hours of a “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would also affect companies that provide certain services to those banks, including data processing. Those service providers would be required to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”

The proposed rule would add a definition of “computer security incident” to each agency’s regulations that would read:

an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Most importantly, note that this definition is NOT limited to personal information. Not all “computer security incidents” would require notification to bank regulators. The term “notification incident” would mean that a banking organization believes in good faith a computer security incident” could materially disrupt, degrade, or impair—

  • the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit or franchise value; or
  • those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The proposed regulation specifically includes as an example of a notification incident a “ransom malware attack that encrypts a core banking system or backup data.” Service providers would be required to notify two individuals at each affected banking organization.

Comments on the proposal

The regulators have indicated that they are seeking comments on the proposal as well as on several questions included in the notice. Among those questions are:

  • Should the definition of “computer security incident” include only occurrences that result in actual harm or actual violation of security policies, security procedures or acceptable use policies?
  • How should the 36-hour timeframe for notification be modified, if at all, and why? Should it be made shorter or longer?
  • Do existing contracts between banking organizations and bank service providers already have provisions that would allow banking organizations to meet the proposed notification incident requirements? The agencies are seeking information on how bank service providers currently notify banking organizations of service disruptions under existing contracts between bank service providers and banking organizations.
  • The agencies invite comments on specific examples of computer-security incidents that should, or should not, constitute notification incidents.

The comment period will commence upon publication in the Federal Register and extend for 90 days.

For more information, please see our white paper.