The Computer-Security Incident Notification Rule requires US federal banking organizations and banking service providers to notify the Office of the Comptroller of the Currency (OCC) that a cybersecurity incident has occurred. The bank must ensure that the OCC receives this as soon as possible and no more than 36 hours after the incident has occurred.
In the context of increasing cyber attacks in the financial industry and a growing trend of using third-party service providers, the Computer-Security Incident Notification Rule helps provide early awareness for the OCC so it can respond promptly to emerging threats to the broader financial system and ensure the financial stability of the United States.
This post aims to help financial services organizations understand Computer-Security Incident Notification Rule requirements and how financial organizations can comply.
What is Considered a Computer-Security Incident?
The rule defines a computer-security incident as an occurrence harming the availability, integrity, or confidentiality of an information system or any information that the system processes, transmits, and stores.
Any computer-security incident that is likely to significantly disrupt the bank’s operations, bank customers being unable to access their funds, or impact the stability of the broader financial sector falls under this category. This can include cyber attacks, such as DDoS or ransomware attacks, system failures, or third-party security breaches.
While similar notifications were required under the Bank Secrecy Act and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, they did not cover all computer-security incidents that the regulatory agencies must be informed about.
What is Defined as a Banking Organization?
Under the new rule, banking organizations have a few different classifications under various regulatory agencies.
According to the OCC, banking organizations include:
- National banks
- Federal savings associations
- Federal branches and agencies of foreign banks
For the Board of Governors of the Federal Reserve System (FRB), banking organizations include the following:
- State member banks
- Any US operations of foreign banking organizations
- US bank holding companies
- Savings and loan-holding companies
- Edge and agreement corporations
The Federal Deposit Insurance Corporation (FDIC) deems banking organizations as:
- Insured state nonmember banks
- Insured state-licensed branches of foreign banking organizations
- Insured state savings associations
These definitions are consistent with the three agencies’ supervisory authorities. Banking organizations also include ALL third-party service providers, whether they are businesses or individuals, if they perform services covered by the Bank Service Company Act (BSCA), a regulation establishing rules about how financial institutions interact with some third-party service providers. See USC Chapter 18 for more information.
Financial technology companies should check with their banking partners to determine whether or not they have been identified as bank service providers to a banking regulator and whether they are subject to the BSCA.
What is a Notification Incident?
A notification incident must be a significant computer-security incident that will or is likely to:
- Last four hours or more
- Disrupt a banking organization’s operations
- Damage revenue, profit, or franchise value of any banking organization business lines, including support, services, and associated operations
- Prevent customers from accessing accounts
- Disrupt the stability of the financial sector
A qualifying incident - an incident that has reached the level of a notification incident - might be a cybersecurity event like a ransomware attack, a distributed denial of service attack, or a major computer-system failure. A relevant cyber incident may be caused by hardware and software failure or human error.
Therefore, if the bank is the victim of a cyber attack, but the attack does not cause actual harm, does not significantly disrupt the ordinary course of business, and is unlikely to worsen or last for an extended period, the bank may not need to report to its regulatory body.
If the banking organization deems a security incident has risen to the level of a notification incident, it must report it within 36 hours of that determination. So, the countdown does not begin when the data breach starts; it begins when the bank considers the threat level is sufficient.
Computer-Security Incident Notification Requirements
Various OCC points of contact exist for banking organizations. They can communicate a notification incident to their primary Federal regulator, contact their supervisory office, or visit BankNet.gov. If the bank is unsure whether it is experiencing a notification incident, it should contact its supervisory office in the first instance.
Banking organizations must also report a computer-security incident to at least one bank-designated point of contact at each bank affected by the incident.
If the bank does not already have a designated point of contact, it should use any reasonable means to notify the bank’s Chief Executive Officer (CEO) and Chief Information Officer (CIO) or individuals of comparable responsibilities, such as a Chief Information Security Officer (CISO) and a Cybersecurity Director. For this reason, US banking organizations should ensure that the relevant contact information is up-to-date and easily accessible within the organization’s security policies and incident response plans.
Lastly, the final rule states that bank service providers must notify every one of their affected banking organization customers following a notification-level incident. Designated financial market utilities, however, need not report under the Computer-System Incident Notification rule because they are regulated separately by the Federal Reserve.
How UpGuard Can Help Banking Organizations Comply with the Computer-Security Incident Notification Rule
UpGuard can help banking organizations and their third-party service providers comply with the Computer-Security Incident Notification Rule to quickly detect, monitor, mitigate, and remediate cyber threats and provide instant notifications should a notification-level threat arise.
In addition, UpGuard also provides end-to-end risk management to help organizations lower their chances of a potential risk occurring and even monitor third parties to ensure they are meeting compliance standards and minimum security requirements.