…and now the game on incident reporting changes.
In earlier commentary here, we discussed the regulations proposed by the US banking regulators, OCC, Fed, and FDIC, that would impose significant new requirements on virtually every bank operating in the US and every vendor/service provider providing products and services to these banks. On November 23, 2021, the regulators adopted Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, which you can find here: https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf.
We will discuss the details of the new regulation in future posts. For now, here are important takeaways and questions/answers on the Incident Notification Regulations (INRs):
Who is burdened by the INRs?
Every federally and state-chartered bank regulated, supervised, or insured by the OCC, Fed, or FDIC (including foreign banks) and every person and entity that provides any “covered service” (which, as discussed below, means just about any critical service on which the bank or the bank’s customers rely) to any of these banks. Designated “Financial Market Utilities” under Dodd Frank are specifically excluded from both prongs (service provider and bank) of the INRs.
What are the essential obligations in the INRs?
(1) Service providers must give their bank customer notice “as soon as possible” of an incident “that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours” (emphasis added).
The INRs define “covered services” as anything covered by the Bank Service Company Act (discussed below), but the definition can be gleaned from the INR’s definition of “business line”: “a product or service offered by a banking organization to serve its customers or support other business needs.” Commentary regarding this definition makes clear the regulators’ intent to create a broad definition of “covered services” that is consistent with the definition of “core business line” under Section 165(d) of Dodd Frank.
Our view is that the regulators intended for the term “covered services” to have a very broad definition that accounts for internal and external (consumer-facing) services and systems. The INRs do not offer a materiality standard, but one could reasonably conclude the regulators are unlikely to scrutinize the interruption of services immaterial to the bank’s operations or the bank’s customers. On the other hand, any interruption “for four or more hours” of any service that could be critical or material to bank operations or bank customers should be considered a covered service subject to the notification requirements.
(2) A bank must notify its federal regulator of an incident “as soon as possible” by no later than 36 hours the bank determines the incident qualifies as a notification incident.
The INR’s definition of “notification incident” has three prongs, the two most informative of which are: an incident
that a banking organization believes in good faith could materially disrupt, degrade, or impair (1) The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (2) Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value…”
Reading the INRs in the context of the commentary, we would add that the regulators are attempting to gain insight and early warning into material and/or systemic issues that could affect an individual bank, a group of banks, or the banking system. As such, the failure or interruption of critical systems or the exposure of material Personally Identifiable Information, is likely to be considered a “notification incident.”
Do the INRs impose obligations directly on bank vendors/service providers?
Yes. As discussed above, the service provider is obligated to give the proscribed notice—failing which there could be direct enforcement action against the service provider.
How do the INRs purport to regulate bank service providers that are not directly regulated?
The regulators rely on the Bank Service Company Act (https://uscode.house.gov/view.xhtml?path=/prelim@title12/chapter18&edition=prelim), which states (with emphasis added):
…whenever a depository institution that is regularly examined by an appropriate Federal banking agency, or any subsidiary or affiliate of such a depository institution that is subject to examination by that agency, causes to be performed for itself, by contract or otherwise, any services authorized under this chapter, whether on or off its premises—
(1) such performance shall be subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself on its own premises, and
(2) the depository institution shall notify each such agency of the existence of the service relationship within thirty days after the making of such service contract or the performance of the service, whichever occurs first.
Do the INRs cover only what we typically think of as cybersecurity incidents and attacks, breaches, etc.)?
No. The regulators’ intent is clear from the commentary even as the language of the INRs creates ambiguity. The regulations call the event that triggers the notification requirements a “computer-security incident,” but the definition of the does not actually mention “computer security.” Rather it keys notification requirements to: “…an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
The commentary specifically addresses this issue, stating that that a notification incident need not be the result of nefarious actions. It need not be caused by a cybersecurity or data breach or anything that one might naturally understand as a “computer security” incident. From the commentary:
…Another commenter suggested that some of the examples provided were “inconsistent with” the term computer-security incident, as incidents such as failed system upgrades or unrecoverable system failures are not technically computer-security incidents. The agencies disagree with this comment and believe that the commenter is reading the definition of computer-security incident too narrowly to focus on malicious incidents.
We would have preferred that the regulators use a standard more akin to the concepts encompassed in business We would have preferred that the regulators use a standard more akin to the concepts encompassed in business continuity practice (e.g., service disruption, data breach, etc.) as we believe that the “computer-security” nomenclature will continue to confuse the casual practitioner. Nevertheless, while the langue of the INRs can be ambiguous, the commentary is not. Any incident (including disruptions that have little to do with “computer security”) malicious, benign or otherwise, that “could” result in “actual harm” is covered.
[updated: 17 January 2022]
About the Author:
Mark Stetler is the CEO or CRINDATA. He is a licensed attorney and has more than 30 years’ experience in the banking, financial services, fraud, and technology spaces.
About CRINDATA:
Founded by Mark and former FinCEN Director Jim Freis, CRINDATA helps financial institutions and their critical service providers identify, map, and manage the risks of critical dependencies on outsourcing relationships and proactively address potential business continuity, business disruptions, and cybersecurity events.
