Federal regulators would require banking-sector organizations to provide notification within 36 hours of a “computer-security incident,” under a proposal that’s raising concerns in the private sector while officials say it simply requires an “early alert” to the government without imposing significant burdens.
“It seems more than a little unfair to impose obligations on the private sector that the government repeatedly shows it is unable or unwilling to meet, when it faces a security incident,” observed Megan Brown of the Wiley law firm. “Thirty-six hours is unrealistic in a fast-moving and unfolding incident, unless the goal is for regulators to get a lot of notices about events that may not be a big deal at all.”
Key industry groups were examining the proposal late last week and declined comment.
The proposal was released on Dec. 18 by the Office of the Comptroller of the Currency, Federal Reserve Board of Governors, and the Federal Deposit Insurance Corporation. A 90-day public comment period begins when the Notice of Proposed Rulemaking is published in the Federal Register, which is expected imminently.
According to the notice, “The OCC, Board, and FDIC invite comment on a notice of proposed rulemaking that would require a banking organization to provide its primary federal regulator with prompt notification of any ‘computer-security incident’ that rises to the level of a ‘notification incident.’ The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.”
The regulators explain: “This notification requirement is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident. Moreover, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”
The proposal notes that “current reporting requirements related to cyber incidents are neither designed nor intended to provide timely information to regulators regarding such incidents.”
According to the NOPR, “The proposed rule would define a computer-security incident as an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
The regulators anticipate concerns about the 36-hour rule, saying in the NOPR: “The agencies believe, however, that 36 hours is a reasonable amount of time after a banking organization believes in good faith that a notification incident has occurred to notify its primary federal regulator, particularly because the notice would not need to include an assessment of the incident. The agencies expect only that banking organizations share general information about what is known at the time. Moreover, the notice could be provided through any form of written or oral communication, including through any technological means (e.g., email or telephone), to a designated point of contact identified by the banking organization’s primary federal regulator (e.g., an examiner-in charge, local supervisory office, or a cyber-incident operations center). The notification, and any information provided by a banking organization related to the incident, would be subject to the agencies’ confidentiality rules.”
And, the regulators say, “This proposal is not expected to add significant burden on banking organizations. Banking organizations should already have internal policies for responding to computer security incidents, which the agencies believe generally already include processes for notifying their primary federal regulator and other stakeholders of incidents within the scope of the proposal.”
The proposal adds, “However, these processes are not uniform or consistent between institutions and have not always resulted in timely notification being provided to the applicable regulator, which is why the agencies are issuing this proposal. This proposal also is not expected to add significant burden on bank service providers. The agencies’ experiences with conducting bank service provider contract reviews during examinations indicates that most of these contracts include incident-reporting provisions. As a result, this proposal is not expected to add significant burden on a material number of bank service providers.”
An initial analysis by law firm Mayer Brown notes that financial regulators in New York State require notice within 72 hours of a covered incident. “Similar requirements have been imposed by some state insurance regulators as part of their adoption of the NAIC Insurance Data Security Model Law. These state laws are in addition to the consumer breach notification laws adopted by all fifty states and the District of Columbia, which may require notification to a state agency as well as the consumers,” according to the analysis.
“In the Proposal, the Federal Regulators indicated that the thousands of regulated financial institutions experience a total of approximately 150 notification incidents per year and estimate 120,000 service providers experience a total of approximately 36 computer security incidents each year. While these numbers are based on the experience of Federal Regulators and may seem low to industry observers, they appear to reflect the Federal Regulator’s high threshold for identifying an event as material,” according to the Mayer Brown analysis.
Further, “Even if the regulatory requirement mirrors a service provider’s existing contractual obligation and the accompanying service levels, the provider may need to consider creating or modifying its compliance program to ensure that it satisfies any notice obligation under any final rule. We expect service providers will raise this issue in comment letters on the Proposal.”
Allison Bender, of counsel at firm Wilson Sonsini, Goodrich and Rosati, observed, “The proposed rulemaking includes a useful preamble as well as a set of questions that seem to reflect OCC’s desire to avoid an overly broad or onerous new requirement, while still achieving earlier awareness of potentially emerging threats to other banks and the financial sector generally.”
She noted, “Given the 36-hour proposed notice requirement, the SAR [Suspicious Activity Reports] model of fewer details faster, rather than a more detailed but later notice as with state consumer data breaches, is more practical.”
Bender said, “From the perspective of the banking organization, it may complicate preservation of privilege, timing and contents of notifications to other regulators, and heighten expectations from consumers and others regarding how fast you can reasonably expect to be notified. For a ransomware victim, for example, you’ll quickly know the system is affected, but it may be days to weeks before you know enough to tell consumers that their data was on the system affected. OCC’s approach seems to reflect that understanding, but with others, we’ll have to see.” -- Charlie Mitchell (firstname.lastname@example.org)