…and now the new, proactive obligations of banks and their service providers…
In December, we discussed OCC, Fed, and FDIC’s Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, https://www.fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf (the INRs). We promised a more detailed analysis of our views on the new regulation, which requires compliance by May 1, 2022, so:
The Service Providers’ Obligations
The INRs require that bank service providers notify their regulated bank customers “as soon as possible” of “computer-security” incidents. Here’s the relevant text with emphasis added:
(a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.
“As soon as possible” while somewhat in the eye of the beholder, is unambiguous (at least in regulatory hindsight), but there are legitimate questions about the meaning of computer-security incident. We’re pretty sure it doesn’t mean what it sounds like it means because computer-security incident is not limited to incidents related to “computer security.” Here’s how INRs define computer-security incident with emphasis added:
(4) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
“An occurrence” (very broad) that harms “confidentiality, integrity, or availability of systems” is reportable without regard to whether it involves “computer-security.” A real world example? Certainly, the Big Freeze (Texas, February 2021) affected the availability of systems in and outside of Texas and had nothing directly to do with computer-security. Some service providers could not provide “covered services” as a result. We believe these interruptions/outages would be reportable. Another example? How about the Fedwire outage in February 2021? Payment providers (critical service providers) relying on the Fed’s systems that could not process payments for customer banks would be required to report the outage. Again, nothing directly related to “computer-security,” but certainly a reportable availability issue with a “covered service.”
The INR’s commentary provides insight into the regulators’ definition “computer-security incident” (emphasis added):
…Another commenter suggested that some of the examples provided were “inconsistent with” the term computer-security incident, as incidents such as failed system upgrades or unrecoverable system failures are not technically computer-security incidents. The agencies disagree with this comment and believe that the commenter is reading the definition of computer-security incident too narrowly to focus on malicious incidents.
The INRs define “covered services” as services and systems covered by the Bank Service Company Act (discussed below). This definition is very, very broad, we believe, covers anything reasonably considered critical to the bank or its customers or involves PII. The INRs require banks to give notice (discussed below) of certain events related to the bank’s “busines lines,” which the INRs define as “a product or service offered by a banking organization to serve its customers or support other business needs.” It doesn’t get much broader than that…
Here’s our shorthand definition of “covered services”: products, services, and systems that (1) are or should be considered “critical” to the bank’s operations or to the bank’s customers or (2) involve the storage, transmission, or use of personally identifiable information (PII).
So, what happens if the service provider does not provide the required notice? Could be quite a lot, actually. The regulators claim authority to enforce the notice obligations of the INRs directly against service providers (even those that are not regulated entities) under the Bank Service Company Act (BSCA). The regulators are right. The BSCA (https://uscode.house.gov/view.xhtml?path=/prelim@title12/chapter18&edition=prelim), says (emphasis added):
…whenever a depository institution that is regularly examined by an appropriate Federal banking agency, or any subsidiary or affiliate of such a depository institution that is subject to examination by that agency, causes to be performed for itself, by contract or otherwise, any services authorized under this chapter, whether on or off its premises—
(1) such performance shall be subject to regulation and examination by such agency to the same extent as if such services were being performed by the depository institution itself on its own premises, …
The Banks’ Obligations
The INRs require that a bank notify its federal regulator of an incident “as soon as possible” but within 36 hours of the bank determination that the incident qualifies as a notification incident. The operative text (with the FDIC as the applicable federal regulator) with emphasis added:
A banking organization must notify the appropriate FDIC supervisory office, or an FDIC designated point of contact, about a notification incident through email, telephone, or other similar methods that the FDIC may prescribe. The FDIC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
The INR’s definition of “notification incident” has three prongs, worth quoting in full (emphasis added):
Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
We emphasize subsection (i) as it is the broadest and most likely to occur on a periodic basis. It also is about as clear a standard as one could expect from a regulation. An event that adversely affects the bank’s ability to carry out critical accounting or internal functions is reportable. An event that affects a material number of customer’s ability to conduct bank business is reportable. A fair reading of the INRs would not distinguish between an issue caused by a computer-security event and another business interruption, either of which could be reportable.
About the author:
Mark Stetler is the CEO or CRINDATA. He is a licensed attorney and has more than 30 years’ experience in the banking, financial services, fraud, and technology spaces.
About CRINDATA:
CRINDATA, LLC (www.CRINDATA.com) offers unique cloud-based solutions to financial institutions who must actively manage their critical third-party relationships (including their indirect relationships with subcontractors) and must prepare for and mitigate business disruptions management and cybersecurity events originating anywhere in the chain of service providers and subcontractors. Concurrently, CRINDATA helps third party service providers like core systems, payments providers, transaction motoring solutions, banker’s banks, and corporate credit unions, by substantially simplifying the due diligence interactions with financial service companies and by providing a complaint, common platform to manage business disruptions and cybersecurity events when they occur.
Reach CRINDATA at info@crindata.com
202.990.6990
