Daniel Baker

Daniel Baker
Compliance Officer, Compliance Alliance

Cybersecurity Incident Rule – a household good

Incidents that the banks can mitigate in the ordinary course of business would generally not require notification under this rule.” 

Cybersecurity Incident RuleMy family got its very first computer in the late 1990s when the internet was really starting to become a necessity for daily life. I remember walking into the store with my mother and the salesman introducing us to multiple different models. Ever frugal, my mother made it a point to find one with a great sale. To this day I remember the gentleman taking us around telling us that the computer — which had a 512-megabyte hard drive — would store everything that we needed it to without any issues and if, heaven forbid, we needed more room, we could store docs on 3½ floppy disks. 

After excitedly taking the computer home and installing our 1-month free CD for dial-up internet, we established our very first email account. Since then — and a dozen or so email accounts later — we as a society have grown very accustomed to getting requests from Nigerian princes for money, notices that our car warranty has expired, that the IRS is sending the police to our house for failure to pay taxes, that we have won a free cruise or that we have won something that we never entered to win. Now a computer hundreds of times more powerful than my first one sits in my pocket and acts as a constant source of spam, junk calls, privacy violations and time-wasting. Don’t get me wrong, I enjoy a good piece of technology as much as anyone, but times have changed, and so do the regulations.

Specifically, one of the regulator’s most recent attempts to protect the consumer comes in the form of the Computer Security Incident Notification rule. This rule applies to FDIC, FRB and OCC-regulated banking organizations. The final rule, published on Nov. 18, 2021, establishes a requirement that banks notify their regulator within 36 hours of any significant cybersecurity incident. (see 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board, and 12 CFR Part 304 for the FDIC). A notification incident is classified as one that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

In addition to banking organizations, the rule also applies to banking service providers. A banking service provider is a bank service company or other parties that perform “covered services” — which are services covered by the Bank Service Company Act (12 U.S.C. §§ 1861-1867). These include deposit sorting and posting, interest computation, mailing of checks and/or statements, clerical, bookkeeping, accounting, online banking, mobile banking, etc. … Bank service providers are required to notify at least “one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”

As I’m sure you have heard or seen, the final rule itself isn’t always the clearest. On April 28, 2022, the FDIC and OCC hosted an “Ask the Regulators” webcast to answer questions about the new Computer-Security Incident Notification Rule. During this webcast, they clarified a few different elements. First, the agencies are only seeking notification of the most serious operational disruption. Incidents that the banks can mitigate in the ordinary course of business would generally not require notification under this rule.

Did that help clear it up? I’m sure it didn’t. The regulators further discussed that they expect banks to use good business judgment when considering whether an event is a material; if they don’t know, or are unsure, then the bank should consider consulting with legal counsel. If a bank is still unsure about whether an event meets a notification threshold, it should contact its regulatory agency. There is no intent for this rule to result in punishments, rather the purpose is to create a positive exchange between banks and their regulators.

Specific information is not required at the time of the incident, organizations are only expected to share general information about what is known. In turn, the agencies will do their best to help, which, in some cases, may likely be standing by while the bank manages the situation.

Simply put, everyone is figuring this out a bit at a time. Banks should exercise their best judgment in an effort to follow the rule, and agencies are willing to engage in an exchange with their banks in order to resolve any standing doubts or concerns about who or when to notify them. So while we all enjoy a good piece of technology, we will continue to work together to adapt to the ever-changing environment.

Biz2X ad