The three prudential bank regulators published Final Rules for Computer-Security Incident Notification Requirements (Final Rules) on November 23, 2021. The purpose of the Final Rules is to promote timely notification of computer-security incidents that materially and adversely affect an insured depository institution. The new rules apply to insured depository institutions and to bank service company providers performing covered services for financial institutions. The Final Rules take effect on April 1, 2022, with full compliance extended to May 1, 2022. 

Notification required under the Final Rules must be made by an insured depository institution to its primary federal banking regulator as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. Notification must be made by a bank service provider to each affected banking organization as soon as possible when the bank service provider determines it has experienced a computer breach incident that has materially disrupted or degraded the covered service for more than four hours.

Key to the duties to report are the definitions of two terms: “computer security incident” and “notification incident.” A computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or information that the system processes, stores, or transmits. A notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s (i) ability to carry out banking operations, activities, or processes or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business lines, including associated operations, services, functions, and support that, upon failure, would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The criteria set forth in the notification incident definition make clear that the focus of the Final Rules is on incidents that materially and adversely impact a banking organization rather than on specific types of information systems. 

A non-exhaustive list of incidents that are generally considered “notification incidents” under the Final Rules was included in the Federal Register publication:

1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, generally more than four hours

2. Widespread system outages experienced by a bank service provider that is used by a banking organization for its core banking platform to operate business applications, where recovery time is undeterminable

3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees

4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan

5. A computer hacking incident that disables banking operations for an extended period of time

6. Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections

7. A ransom malware attack that encrypts a core banking system or backup data

Banking organizations must consider, on a case-by-case basis, whether any significant computer security incidents they experience constitute notification incidents for purposes of notification to their primary regulatory agency.

While banking organizations must provide notice to their primary regulator, bank service providers are required to notify at least one bank-designated point of contact at each affected banking organization as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. If there is no bank-designated point of contact, the bank service provider must provide notification to the chief executive officer and chief information officer of the banking organization. 

This regulation does not affect the banking organization’s obligations under federal privacy regulations or state statutes or regulations regarding privacy or notice of a breach.