Proposed New Rule Tightens Cyber Incident Notification Window for Banks and Bank Service Providers

Companies large and small are on heightened alert for cyber incidents following the SolarWinds Orion Platform software attack that came to light in late 2020.

The Department of Treasury is among the 18,000 organizations that SolarWinds disclosed could be at risk following the attack, along with other large organizations such as Cisco and Microsoft.  One of the many ramifications of this cyber incident that companies need to be aware of is potential notification and reporting requirements.

On January 12, 2021, a number of U.S. federal banking regulators proposed a new rule that would require banks and bank service providers to notify their primary regulator in the event of any “computer-security incident”[1] that constitutes a “notification incident”[2] as quickly as possible, and no later than 36 hours after the bank or service provider believes, in good faith, that the incident occurred.  Bank service providers would also have to notify at least two individuals at the affected bank in the event of any computer security incident that could disrupt, degrade, or impair services provided for four or more hours.

Banks and other financial institutions are already subject to a number of notification requirements in the event of a security incident affecting personal information of individuals.  Each state in which a bank operates has its own notification and timing requirements, with a notification time-period, where specified, that typically ranges from 30-45 days.  Regulations and guidance under the Gramm-Leach Bliley Act requires financial institutions to notify primary federal regulators “as soon as possible” in the event of an incident “involving unauthorized access to, or use of, sensitive customer information.”  Banks that do business overseas may be subject to the notorious 72-hour notification requirements of the European Union’s General Data Protection Regulation (GDPR).  A small number of regulators, such as the New York State Department of Financial Services (NYSDFS), have implemented similarly stringent requirements.  Financial institutions licensed with NYSDFS must report certain defined cybersecurity events to NYSDFS via a web-portal within 72 hours of discovery.

The proposed rule would create the most rapid notification requirement to date affecting banks and bank service providers.  Any company that has been unlucky enough to suffer a cyber incident knows that the first few days following discovery involve a rapid marshaling of forces ranging from management and in-house IT to outside attorneys and technology experts.  These forces then work to discover what happened and determine the scope of any incident, while often simultaneously attempting to get systems back up and running.  The type of detailed analysis necessary to comply with the proposed rule to determine what systems may have been impacted and what information was contained on such systems can take weeks or months to complete.  Even companies with detailed and drilled Incident Response Plans may not be able to comply with the new rule, given its shortened reporting deadline, and may therefore over-report, leading to unnecessary regulatory inquiry and notification to banks by banking service providers.  Accordingly, banks and banking service providers should monitor this rule for potential impact and submit any comments by April 12, 2021.[3] 

[1]  The proposed rule defines a “computer-security incident” as “an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

[2]  A notification incident is defined as “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair: (1) The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (2) Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or (3) Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

[3]  The Federal Register release includes instructions and links to numerous methods of providing comments.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2021 Harter Secrest & Emery LLP