Rule Requires Banks To Report Significant “Computer Security Incidents” Within 36 Hours | Item
The Office of the Comptroller of the Currency (OCC), the Federal Reserve and the Federal Deposit Insurance Corp. (FDIC) have approved the policy, which also requires service providers of financial institutions to notify affected bank customers of any service outages caused by a computer. security incident that lasts more than four hours.
The rule is effective April 1, 2022, and compliance is required by May 1, 2022.
An IT security incident is described in the rule as an “event that causes real damage to the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits” . Such incidents can be caused by a variety of factors, including cyber attacks launched by hackers with “destructive malware or malware” as well as “non-malicious hardware and software failure, personnel and personnel errors”. other causes ”.
A “notification incident” is defined in the rule as an IT security incident “which disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the operations of the banking organization; results[s] inability for clients to access their deposit and other accounts; or impact[s] the stability of the financial sector.
The rule requires any banking service provider subject to the Bank Service Company Act (BSCA) to notify at least two people within the relevant banking organization of a computer security incident that they believe could disrupt, degrade or alter the services provided. submitted to BSCA for four hours or more. The banking organization would then determine if the incident reached the level of a notification incident and would notify its regulators if so.
“The notification obligation for banking service providers is important as banking organizations increasingly depend on third parties to provide essential services,” the rule says. “… [A] the banking organization should receive prompt notification of IT security incidents that materially disrupt or degrade, or are reasonably likely to disrupt or materially degrade, these services because prompt notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact and trigger its own notification obligation.
The idea behind the rule, according to regulators, is to “help promote an early awareness of emerging threats to banking organizations and the financial system as a whole.” This early awareness will help agencies respond to these threats before they become systemic. “
Other regulations, such as the New York State Department of Financial Services cybersecurity event notification requirement or the EU’s General Data Protection Regulation (GDPR), require regulated entities report cybersecurity incidents within 72 hours. After some commentators on the computer security incident rule complained that 36 hours was too short a window for many institutions to comply, banking regulators responded by narrowing the definition of a notification incident as serious enough. to be important to the operation of the business. They also rejected the language originally included in the rule regarding violations of policies and procedures that contributed to a computer security incident.
In California, companies are required to report data breaches affecting more than 500 state residents to the state attorney general, but are not required to report other types of cybersecurity incidents. California residents can also sue companies in state courts for failing to protect their personal information under a provision of the California Consumer Protection Act (CCPA).