Federal Regulators Adopt New IT Security Incident Notification Requirements for Banks and Service Providers | Pillsbury Winthrop Shaw Pittman LLP

Banks’ notification obligations

Under the new, finalized rule, banking organizations will be required to notify their lead federal regulator of a significant IT security incident, known as a notification incident, as soon as possible but no later than 36 hours. after a bank determines that such an incident has occurred. . A computer security incident is an incident which undermines the confidentiality, integrity or availability of an information system or of the information that the system processes, stores or transmits. Banking organizations should notify their lead federal regulator when such an incident has had a material impact, or is reasonably likely to have a material impact, on their operations, their ability to provide products and services, or one or more of their lines of business in a way that could have a significant tax impact. Banking organizations must also provide this notification when an incident could pose a threat to the stability of the financial sector.

Banking organizations should provide the notice to the appropriate branch supervisory office, or designated point of contact, by email, telephone, or other methods that branches may prescribe. The preamble to the final rule clarifies that branches expect banking organizations to share general information about what they know about the incident, but that there is no specific form or template for notification and no specific information is required in the notification other than that an incident has occurred.

By enacting this rule, federal regulators have highlighted concerns about increasingly frequent, sophisticated and serious cyber attacks against the financial services industry. However, regulators have also pointed out that notification incidents can also result from non-malicious hardware and software failure, personnel errors, and other causes that can disrupt or degrade banking service offerings. Regulators have included a non-exhaustive list of incidents that are generally considered notification incidents that include both malicious and non-malicious IT security incidents. Examples of incidents that may be non-malicious but still require notification to a regulator include failed system upgrades that lead to widespread outages and unrecoverable system failures that cause the continuity plan to be activated. business or disaster recovery of a banking organization.

This new reporting requirement will apply to banking organizations regulated by the OCC, Federal Reserve, and FDIC, including domestic banks, federal savings associations, and federal branches and agencies of foreign banks overseen by the OCC. ; US bank holding companies and savings and loan holding companies, member state banks, US operations of foreign banking organizations, and Edge and treaty companies overseen by the Federal Reserve; and insured non-member state banks, branches of state-licensed foreign banks, and FDIC-supervised insured state savings associations. Designated financial market utilities are exempt from the rule. Nor does the rule generally apply to fintechs or other nonbank financial institutions, although, as discussed in more detail below, banking service providers will be subject to a separate obligation to notify banking organizations. of certain incidents.

Some of these banking organizations are licensed or regulated by the New York Department of Financial Services (NYDFS) and have already been required to notify the NYDFS within 72 hours of determining that a covered cybersecurity event has occurred. is produced. The new federal rule will of course dramatically reduce the time during which these banking organizations must first report incidents to a regulator. However, the new federal rule is narrower in some ways than the existing NYDFS rule. For example, the NYDFS rule covers both successful and some unsuccessful cyber attacks, while the new federal rule only covers incidents that actually harm bank information or systems.

Notification obligations of banking service providers

Banking service providers will also be subject to new reporting obligations when the rule takes effect. The rule applies to service providers who provide services subject to the Bank Service Company Act, 12 USC § 1861 et seq. (BSCA). Services covered under the BSCA include sorting and accounting for checks and deposits, calculating and accounting for interest and other credits and charges, preparing and sending checks, statements, notices and similar items, or any other office work, bookkeeping, bookkeeping, statistical or similar functions performed for a depository institution, which may include data processing, internet banking or mobile banking.

Banking organizations are already required by the BSCA to notify their regulator of contracts or other similar agreements with service providers. However, there is no corresponding obligation for a banking organization to inform a service provider that the banking organization has informed its regulator that the service provider provides services subject to the BSCA. Service providers should therefore consider asking their bank customers whether the banking organization has designated them as service providers under the BSCA in order to assess whether they are subject to this new rule.

Covered service providers will be required to notify their banking customers as soon as possible after determining that they have experienced an IT security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the covered services provided. at this banking organization for four hours or more. Service providers must report such an incident to the point of contact designated by the bank’s customers or, if no contact has been so designated, to the CEO or CIO.

This standard is separate from and broader than the standard when a banking organization needs to report an incident to its primary regulator. It will remain the responsibility of a banking organization to determine when an incident reported to it by a service provider should also be reported to the principal federal regulator of the banking organization.

In the preamble to the final rule, the agencies noted that the notification requirement in the new rule is independent of any contractual provision. Banking service providers must therefore comply with this new requirement even when their contracts specify different notification standards than those created in the new rule.


Banking organizations and covered banking service providers will soon be required to comply with these new notification requirements and should now review their threat detection and incident response plans and capabilities to ensure that IT security incidents are addressed. quickly detected and reported appropriately. As these threats become more sophisticated and nefarious, it is essential to have an effective cybersecurity program and corresponding incident response plan in place to stay in compliance with regulatory requirements and mitigate operational risk.

Banking organizations should also consider formally designating one or more points of contact who will receive notifications from service providers, possibly through contractual terms, to ensure that the reporting line is clearly understood and that notifications are made. incident are not missed or misdirected. Banking organizations should also consider establishing or supplementing existing policies and procedures to clearly define the steps they will take to assess notifications from service providers, both to assess the impact on information and systems. banking organizations and to determine whether a notification received from a service provider should be reported to the organization’s primary regulator. Finally, banking organizations should consider consulting with their lead regulator to determine the regulator’s preferred method of receiving notification incident reports to ensure that the agency’s reports are received and acknowledged. .

Comments are closed.