United States: Banking Computer-Security Incident Notification Requirements Take Effect

Financial institutions and their service providers should prepare to meet new computer-security notice requirements by May 1, 2022. 

NEW RULE OUTLINES COMPUTER-SECURITY INCIDENT NOTIFICATION OBLIGATIONS FOR BANKS

Financial institutions and their service providers should prepare to meet new computer-security notice requirements by May 1, 2022. 

Expand and Clarify

COMPUTER-SECURITY INCIDENT NOTIFICATIONS REQUIRED

On April 1, 2022, new computer-security incident notification requirements for banks and their service providers take effect in the United States. The new requirements expand and clarify existing notification obligation of financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the new requirements obligate service providers to notify their financial institution customers in the event of the occurrence of certain computer security incidents. Financial institutions and service providers should revise their incident response and business continuity procedures to ensure that they will meet these new requirements when compliance is required on May 1, 2022.

Background

Historically, the federal banking regulators required financial institutions to file two types of reports for certain cybersecurity incidents. First, under the safeguarding authority of the Gramm-Leach-Bliley Act, certain financial institutions have been required to notify their federal regulator of incidents (including cybersecurity incidents) involving unauthorized access to sensitive consumer information. Second, under the reporting requirements of the Bank Secrecy Act, certain financial institutions are required to report incidents involving suspicious activity.

Separately, states have moved in recent years to impose broader cybersecurity incident reporting requirements on state-regulated financial institutions. For example, the New York Department of Financial Services requires institutions that it regulates to report certain cybersecurity events to the agency within 72 hours. Similar requirements have been imposed by some state insurance regulators as part of their adoption of the NAIC Insurance Data Security Model Law. These state laws are in addition to the consumer breach notification laws adopted by all 50 states and the District of Columbia, which may require notification to a state agency as well as the consumers

How and When

WHAT ARE THE NEW NOTIFICATION REQUIREMENTS?

The notification requirements impose obligations on financial institutions and their service providers. For these purposes, a financial institution includes a national or state bank, a savings association, an Edge or agreement corporation, a U.S. branch or agency of a foreign bank, and a bank or savings and loan holding company. The federal banking regulators confirmed in the preamble to the new requirements that nonbank subsidiaries of financial institutions generally are not required to provide notice, unless they otherwise fall with the definition. A covered financial institution does not include credit unions.

Financial institutions and computer-security incident notifications

Financial institutions are required to notify their appropriate federal regulator of a "notification incident" as soon as possible and no later than 36 hours after the institution determines that a reportable event occurred. This is shorter than the reporting deadline established by other regulators, such as the New York Department of Financial Services.

The notification may be provided in written or oral form (including email or telephone) and may be made to the institution's designated point-of-contact at the federal regulator. The notification should convey whatever general information is known to the institution regarding the incident but does not need to be made using a specific form or format.

When a computer-security incident notification is required

A "notification incident" is a computer security incident that has materially disrupted or degraded:

1. The ability of the institution to carry out banking operations, activities or processes or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

2. Any business line of an institution, including associated operations, services, functions and support, and the incident would result in a material loss of revenue, profit or franchise value; or

3. Those operations of an institution, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

While the definition is broad, there are materiality qualifiers that could limit its applicability to a small subset of incidents. A "computer security incident" is further defined as "an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits." This is narrower than the definition in the proposal, which would have included potential occurrences and occurrences that constituted a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

However, the federal regulators have emphasized that the definition of a computer security incident remains broad and can include non-malicious occurrences, such as the failure of hardware and software and personnel errors.

Service providers and computer-security incident notifications

A service provider is any person or entity who performs services for a financial institution that are subject to the Bank Service Company Act. This can include an affiliate or another financial institution that provides covered services. While the new requirements do not further define the services that are subject to that law, the federal regulators arguably have abandoned their expansive position that covered services could include components that underlay other covered services.

The new requirements explicitly obligate a service provider to notify each affected financial institution customer as soon as possible after the service provider determines that it has experienced a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a financial institution for four or more hours. A service provider may comply with its duty by notifying a contact designated by the financial institution or, if no such contact has been designated, notifying the financial institution's chief executive officer and chief information officer (or two individuals of comparable responsibilities). To ensure that notices are directed to the correct persons for immediate action, financial institutions should consider establishing a monitored email address and including this email address in their contracts with service providers.

While many existing service provider contracts already include incident-reporting provisions, these new requirements apply to service providers regardless of the content of a contract with the financial institution. Further, the new requirements do not abrogate contracts that contain more stringent incident-reporting provisions.

Be Prepared

TIMING, TAKEAWAYS FOR COMPUTER-SECURITY INCIDENT REQUIREMENTS

The new requirements become effective on April 1, 2022, but compliance is not required until May 1, 2022. Financial institutions and their service providers should use the remaining month to review their incident response policies and playbooks to ensure that they address the new requirements discussed above. While it is likely that they already have procedures for identifying and reporting a wide range of incidents, the relevant thresholds, timing, and report formats vary across regulators and jurisdictions. Accordingly, financial institutions and service providers may need to add provisions addressing these new requirements. Furthermore, financial institutions may want to establish a monitored email address for notice and include it in contracts to ensure timely receipt of these notices from service providers.

Additionally, service providers should consider how they will go about notifying financial institution customers. For some service providers, it may be more efficient to agree to a designated point of contact in advance to avoid the scramble of finding contact information for a customer's chief executive officer and chief information officer during an incident. Approaches will vary across service providers, particularly those with larger and more complex business operations, but should be thought through now.

Originally published by Abrigo

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.