On December 18, 2020, federal financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (collectively, the “Agencies”) announced a proposed rule (the “Proposed Rule”) that would require “banking organizations” to notify their primary federal regulator within 36 hours following any “computer-security incident” that rises to the level of a “notification incident.” The Proposed Rule also would require service providers to notify at least two individuals at the banking organizations they service immediately after experiencing a computer-security incident that materially disrupts, degrades or impairs the services they provide.

The Proposed Rule defines a “computer-security incident” as “an occurrence that (1) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (2) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

In turn, the Proposed Rule defines a “notification incident” as “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair—

(i) the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or

(iii) those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

The Agencies note that the purpose of the notification requirement in the Proposed Rule is to serve as an early alert to the Agencies and is not intended to provide a complete and thorough assessment of any particular incident. Early notification will enable the Agencies to:

  • become aware of emerging threats to individual banking organizations and, potentially, to the broader financial system;
  • assess the extent of a threat to a particular banking organization and take appropriate action;
  • provide information to a banking organization that may not have previously faced a particular type of notification incident;
  • better conduct analyses across supervised banking organizations to improve guidance, adjust supervisory programs, and provide information to the industry to help banking organizations protect themselves; and
  • facilitate and approve requests from banking organizations for assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection.

The banking organizations may notify the Agencies through any form of written or oral communication, including through any technological means, to their designated point of contact at each Agency. The Proposed Rule notes that a computer-security incident may be the result of non-malicious hardware or software failure or human errors but emphasizes that banking organizations that experience a computer-security incident that may be criminal in nature are expected to contact relevant law enforcement or security agencies, as appropriate, after the incident occurs.

The Agencies have requested comments on key pieces of the Proposed Rule, including (1) whether the definitions of “computer-security incident” and “notification incident” should be modified; (2) whether the 36-hour notification requirement is too short or too long; and (3) which services should require a bank service provider to notify its affected banking organization customers when those services are disrupted, and why.

Interested parties may submit comments within 90 days following publication of the Proposed Rule in the Federal Register.