Requirements for Notifying Primary Federal Regulators About Computer-Security Incidents
by Kalyn Yzaguirre, Senior Examiner/Supervisory Specialist, Examinations & Inspections, Federal Reserve Bank of Kansas City
Cyberattacks carried out against banks have been on the rise over the past several years. According to data from the Financial Crimes Enforcement Network (FinCEN), over 27,000 cyber-related suspicious activity reports were filed in 2021,1 a 34 percent increase from the prior year. These attacks may take many forms, including ransomware, denial of service attacks, or account hijacking. In addition to targeting banks, malicious cyber actors may target third parties or those in the software supply chain.
Attackers are constantly altering their approaches to stay ahead of cyber defenders. As part of sound risk management, banks are expected to have plans in place to respond to cyber incidents. As discussed later in this article, the Federal Reserve and the other federal banking agencies require banking organizations to notify their primary federal regulator of a cyber incident (referred to as a computer-security incident) that has had, or will have, a material impact on the organization.
Final Rule Establishes Computer-Security Incident Notification Requirements
On November 23, 2021, the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) (collectively, the federal banking agencies) issued a notification rule that requires banking organizations2 to notify their primary federal regulator of certain computer-security incidents.3 In summary, the rule requires a banking organization to notify its primary federal regulator of a material computer-security incident (referred to as a notification incident) as soon as possible and no later than 36 hours after the banking organization determines that such an incident has occurred. As of May 1, 2022, banking organizations are expected to be in compliance with the notification rule.
The goal of this new regulation is to promote early awareness of emerging threats from computer-security incidents to banking organizations and the broader financial system. Not all computer-security incidents require notification. That said, the rule focuses on computer-security incidents that have had, or are likely to have, a material impact on a banking organization’s operations or its ability to deliver banking products and services to a significant portion of its customer base.
The federal banking agencies expect that this new regulation will help promote early awareness of emerging threats to banking organizations and the broader financial system. Further, banks’ prompt notification about an incident should help the agencies react to these threats before they become systemic.
Recognizing that many banks outsource critical operations and processes, the notification rule also applies to their service providers. Therefore, when there is a computer-security incident at a bank service provider, the service provider is required to notify its affected banking organization customers as soon as possible. The service provider provisions of the rule cover a computer-security incident that has caused or is likely to cause a material disruption or degradation in services for four or more hours.
What Is a Reportable Notification Incident?
After establishing that a computer-security incident has taken place, a bank must determine whether the incident qualifies as a notification incident under the rule. Two parts of the rule’s definition of notification incident are most relevant to community banks. Specifically, a notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- ability to carry out banking operations, activities, or processes, or its ability to deliver banking goods and services to a material portion of its customer base in the ordinary course of business, or
- business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value to the bank.
See Examples of Reportable Notification Incidents for incidents that a bank should report. Ultimately, a bank must make its own determination regarding what is material to its financial condition and business operations.
Where and When to Report a Notification Incident
To comply with the rule, a Federal Reserve–supervised institution must report a notification incident to the Federal Reserve Board by email (incident@frb.gov) or by phone (866-364-0096). As previously mentioned, a supervised institution is expected to notify the Fed about a notification incident as soon as possible and no later than 36 hours after the bank determines a reportable incident has occurred.
The notification rule also requires a bank’s service provider to notify its affected banking organization customers as soon as possible of a computer-security incident that is likely to cause a material disruption or degradation in services for four or more hours. Once a bank receives such a notice from its service provider, the bank must determine whether it is experiencing a notification incident. If this is the case, the bank is required to notify its primary federal regulator.
Information on Implementing the Notification Rule
Under the notification rule, there are no forms to complete. Further, a bank is not required to provide specific information in the notice to the primary federal regulator other than that a notification incident has occurred. Rather, the aim is to open a dialogue between the bank and its regulator. The Federal Reserve and the other federal banking agencies anticipate that a bank will need a reasonable amount of time to determine that it has experienced a notification incident. For example, if an incident occurs outside of normal business hours, the Federal Reserve does not expect a supervised financial institution will be able to determine immediately that the incident is a notification incident under the rule. For additional guidance on implementation of the notification rule, Federal Reserve–supervised institutions should refer to the Fed’s guidance, “Contact Information in Relation to Computer-Security Incident Notification Requirements,” which includes information on how to contact the Federal Reserve.4
Summary
When it comes to cybersecurity, threat actors appear to be showing no signs of slowing down their attacks. The ultimate goal of the notification rule is to mitigate information security risks to U.S. banking organizations and safeguard our financial system.
Examples of Reportable Notification Incidents |
|
|
|
|
|
|
|
Source: The preamble to the notification rule at www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf
- 1 See FinCEN, “SAR Filings by Industry for the Period January 1, 2014, to December 31, 2021,” available at www.fincen.gov/reports/sar-stats/sar-filings-industry. Trend data can be accessed by downloading the Excel file “Depository Institution” and selecting the tab marked “Exhibit 5.”
- 2 For purposes of the notification rule, ‘‘banking organizations’’ includes the following institutions supervised by the Federal Reserve: U.S. bank holding companies and savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, and Edge and agreement corporations. The notification rule also applies to banking organizations supervised by the FDIC and the OCC.
- 3 See 86 Federal Register 66,424 (November 23, 2021), available at www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf. See also 12 CFR 225.300–225.303.
- 4 See Supervision and Regulation letter 22-4/Consumer Affairs letter 22-3, available at www.federalreserve.gov/supervisionreg/srletters/SR2204.htm. For nonmember state banks, refer to the FDIC Financial Institution Letter (FIL) 12-2022, and for national banks, refer to OCC Bulletin 2022-8.