Federal Agencies Issue New Violation Notification Rules for Banking Organizations and Banking Service Providers Finance & Banking


Banking organizations must notify the appropriate organization within 36 hours of certain computer security incidents; and banking service providers must notify the banking organizations concerned as soon as possible in the event of an equivalent incident.

In November, the Office of the Comptroller of the Currency (“CCO“), the Federal Reserve Board (“FRB“), and the Federal Deposit Insurance Corporation (“FDIC“) issued a new rule imposing certain breach notification standards on banking organizations and banking service providers.

As cybersecurity incidents continue to rise (such as the SolarWinds hack that resulted in recent lawsuits), the financial services industry continues to see an increased frequency of cybersecurity incidents with heightened severity.

Over the past year, the federal government has taken a more active role in cybersecurity and created new avenues, such as aggressively enforcing cybersecurity standards and contractual requirements on government contractors, to hold bad responsible actors or provide new rules that entities must follow in response to cybersecurity incidents.

For example, the Federal Trade Commission (“FTC“) recently amended the Safeguard Rule to include specific new cybersecurity requirements that financial institutions must apply.

In this case, the new rule establishes notification requirements for serious cybersecurity incidents in the financial services sector. Faced with the new requirements, entities falling within the scope of the rule will likely need to implement robust cybersecurity monitoring systems that monitor more than incidents involving a data breach, but monitor the underlying functionality of information technology (“THIS“) systems.

According to the three agencies, the notification requirements will provide regulators with better (1) awareness of emerging and more significant threats to financial systems; (2) assessments of the threats and risks posed by an incident as well as appropriate measures to mitigate the threat; (3) ability to provide banks with assistance through the US Treasury’s Office of Cybersecurity and Critical Infrastructure Protection, (4) inform future directions and adjust monitoring programs.

The rule takes effect April 1, 2022, and entities must be fully compliant by May 1, 2022.

Scope and applicability

The new rule applies specific notification requirements to “banking organizations” and “banking service providers”.

While the three agencies have different definitions of what constitutes a “banking organization,” the rule will apply to most banks (or similar entities) operating in the United States. The definition of the rule for “banking service providers” is also broad; probably covering any entity providing financial services to a bank.

First, entities considered banking organizations report to the federal agency that is their primary regulator. First, the OCC defines the banking organization as national banks, federal savings associations, and federal branches and agencies of foreign banks. Second, FRB defines banking organizations as all U.S. bank holding companies, savings and loan holding companies, member state banks, U.S. operations of foreign banking organizations, and all Edge and Agree companies. . Finally, the FDIC defines banking organizations as all insured non-state member banks, insured state-licensed foreign bank branches, and insured state savings associations.

Second, an entity is considered a banking service provider if it provides “covered services”. The definition of “banking service provider” and “covered services” is the same in the three branches.

Covered services include any service subject to the Banking Services Companies Act. These services include, among other activities, check sorting; sorting of deposits; calculation or display of interest; and credits or charges, preparing and sending cheques, statements or other similar documents. Covered services also include any other bookkeeping, accounting or similar service performed for a bank.

Neither “banking organisations” nor “banking service providers” include a designated public service in the financial market. These entities include companies that have been deemed systemically important under the Dodd-Frank Act. Designated capital markets utilities are separately regulated by the Securities and Exchange Commission (“SECOND“) or the Commodity Futures Trading Commission (“CFTC“).

The rule applies broadly to banks and related service providers. However, notification requirements are only triggered in certain circumstances.

A “computer security incident” includes any event that results in a material breach of the confidentiality, integrity or availability of an information system or information that is processed, stored or transmitted on such a system. This covers a wide range of potential incidents. However, notification is only required in the case of serious incidents or, as the rule indicates, when a computer security incident reaches the level of being considered a notification incident.

For a computer security incident to reach the level requiring notification (i.e. a notification incident), the event must either (1) disrupt or materially damage a banking organization; or (2) be reasonably likely to disrupt or materially damage a banking organization.

Material disruption or impairment includes any event that materially affects a banking organization’s ability to (1) operate, process, or provide banking products and services to a significant portion of its customers; (2) operations and services which, if failed, would result in a material loss of revenue, profits or franchise value; or (3) transactions and services that, if failed, would pose a threat to the financial stability of the United States

In summary, while the rule will broadly apply to a number of entities, the obligations imposed by the new rule are only triggered by a subset of cybersecurity incidents. However, entities within the scope of the rule will need to monitor the wide range of cybersecurity incidents that occur to determine if they reach a level requiring notification.

Notification requirements

The new rule creates two new notification requirements; one for banking organizations and another for banking service providers.

First, banking organizations must notify their primary federal regulator within 36 hours of determining that a computer security incident has reached the level of a notification incident.

Secondly, banking service providers must inform each customer of the banking organization concerned, through at least one contact designated by the customer, as soon as possible after the banking service provider has determined that it has suffered a Computer Security Incident that will challenge or materially degrade the Covered Services for four or more hours.

If the banking organization’s customer has not previously provided a contact, the banking service provider must notify the banking organization’s CEO and CIO (or those in comparable positions) by any reasonable means.

The banking service provider notification requirement does not apply to planned maintenance, testing or updates that have been previously communicated to a banking organization customer.

Practical effects

It is important to note that the scope of what is considered a “cybersecurity incident” is broader than what other laws, including US breach notification laws, impose on entities.

Traditional breach notification requirements apply to unauthorized access and disclosure of data. Here the rule applies to potential disruptions of the IT system or access to the underlying IT systems. Therefore, the new rule applies to much more than the actual unauthorized access or disclosure of data.

This means that entities falling within the scope of the rule will potentially have to expand their cybersecurity monitoring systems to track all cybersecurity incidents. These robust monitoring systems will need to track any disruptions to the underlying functionality of computer systems. Although the definition of a notification incident is narrow and specific, an entity will not be able to correctly determine whether an incident reaches such a level unless it can track and monitor all incidents.

As entities face heightened cybersecurity risks, the new rule’s broad definition of “cybersecurity incident” will require entities within the scope of the rule to review their cybersecurity monitoring systems. and reflect new notification requirements in their policies and procedures.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Comments are closed.