Blog: Financial regulatory agencies announce proposed rule requiring reporting of cybersecurity incidents: finance and banking – BollyInside

Organizations Subject to the New Requirements The proposed rule was jointly announced by the Office of the
Comptroller of the Currency, Treasury (OCC), the Board of Governors
of the Federal Reserve System (“Board”), and the Federal
Deposit Insurance Corporation (FDIC). Below we set out key
takeaways from the Notice of Proposed Rulemaking (NPR).

The proposed rule would apply to supervised banking
organizations and bank service providers, as described in the
NPR:
A notification incident is a
“computer-security incident” that a banking organization
believes in good faith could materially disrupt, degrade, or impair
(i) the ability of the banking organization to carry out banking
operations, activities, or processes, or deliver banking products
and services to a material portion of its customer base, in the
ordinary course of business; (ii) any business line of a banking
organization, including associated operations, services, functions
and support, and would result in a material loss of revenue,
profit, or franchise value; or (iii) those operations of a banking
organization, including associated services, functions and support,
as applicable, the failure or discontinuance of which would pose a
threat to the financial stability of the United States.

The proposed rule defines a “computer-security
incident” as an occurrence that (i) results in actual
or potential harm to the confidentiality, integrity, or
availability of an information system or the information that the
system processes, stores, or transmits; or (ii) constitutes a
violation or imminent threat of violation of security policies,
security procedures, or acceptable use policies.

The proposed rule would require banking organizations to notify
their primary federal regulator in the event of a
“notification incident.” Banking organizations would be required to notify their primary
federal regulator as soon as possible and no later than 36 hours
after the banking organization believes in good faith that a
notification incident has occurred.

Proposed Reporting Requirements for “Notification
Incidents”
Banking organizations would include the
following organizations, depending on the relevant supervisory
regulatory authority:

For the OCC, “banking organizations” would include
national banks, federal savings associations, and federal breaches
and agencies.

For the Board, “banking organizations would include all
U.S. bank holding companies and savings and loan holding companies;
state member banks; the U.S. operations of foreign banking
organizations; Edge and agreement corporations.

For the FDIC, “banking organizations” would include
all insured state nonmember banks, insured state-licensed branches
of foreign banks, and state savings associations.

Bank service providers would include entities
that provide services that are subject to the Bank Service Company
Act (BSCA), including but not limited to preparation and mailing of
checks, statements, notices, and similar items, or any other
clerical, bookkeeping, accounting, statistical, or similar
functions performed for a depository institution.

The proposed rule would constitute a notable departure from
current federal reporting requirements for financial institutions
under the Bank Secrecy Act (BSA) and the Gramm-Leach-Bliley Act
(GLBA). The NPR explains that at a high level, under the BSA,
banking organizations may be required to report certain cyber
events by filing a Suspicious Activity Report (SAR), if the
activity may be related to a money-laundering activity.
Organizations may also be required to notify federal regulators and
individuals of security incidents under the Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice, which interprets Section 501(b) of the GLBA,
but such notice would only be triggered if an organization becomes
aware of an incident involving unauthorized access to, or use of,
“sensitive customer information.” The NPR notes that
while current reporting requirements under the BSA and GLBA
“may provide the agencies with notice of certain
computer-security incidents,” the requirements are “too
narrow in scope to address all relevant computer-security incidents
that would be covered by the proposed rule.” An Expansion of Current Reporting Requirements

By imposing a 36-hour notice requirement on supervised banking
organizations and bank service providers, the federal financial
regulatory agencies note that the proposed rule would provide a
critical source of timely threat-related information that
“current reporting requirements related to cyber incidents are
neither designed nor intended to provide.” Although such a
short notice timeline may create a particular challenge for banks
facing complex security incidents, especially since any available
technical information is likely to be incomplete or unreliable in
the first days following an incident, the NPR notes that the
agencies “do not expect that a banking organization would
typically be able to determine that a notification incident has
occurred immediately upon becoming aware of a computer-security
incident.” Instead, the agencies anticipate that an
organization would take a “reasonable amount of time” to
determine that a notification incident has occurred, and then
notify its primary regulator within 36 hours of making that
determination. Banking organizations would only be expected to
share general information about what is known at the time, and the
notice could be provided though any form of written or oral
communication. A Tight Reporting Timeline Notably, the proposed rule would require banking organizations
to also report “incidents that disrupt operations but do not
compromise sensitive customer information.” Examples provided
by the NPR include large-scale distributed denial of service
attacks that disrupt customer account access and a failed system
upgrade that results in widespread user outages. By linking the
notice requirement to a materiality threshold, the proposed rule
would in some ways follow the model set by the New York Department
of Financial Services Cybersecurity Regulation, which requires
institutions regulated by the Department to provide notice of any
cybersecurity event that has “a reasonable likelihood of
materially harming any material part of the normal
operation(s)” within 72 hours.

News Highlights Business

  • Financial regulatory agencies announce proposed rule requiring reporting of cybersecurity incidents: finance and banking
  • Check all news and articles from the Business news updates.

Disclaimer: If you need to update/edit/remove this news or article then please contact our support team.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s