Banks May Have Less Time to Report Data Breaches Under Proposed Federal Rule

Banking regulators are considering a proposed new rule that would require banks and their service providers to report certain “computer security incidents” within 36 hours of detection. The rule also broadens the definition of what needs to be reported. The relevant regulatory agencies are seeking industry comment through April 21, 2021.

The background

On January 12, 2021, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published a notice of proposed rulemaking (NPR) that would require banking organizations and bank service providers to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” within 36 hours of detection.

The proposed rule states that 36-hour time limit starts after the banking organization believes in good faith that an incident has occurred. The notification will not need to be an assessment of the incident; it is only intended to provide an alert to the banking organization’s primary federal regulator. Likewise, bank service providers will need to notify their banking organization immediately if they suspect an incident occurred that could disrupt, degrade, or impair services provided for four or more hours.

The goal of this new rule is to give federal agencies early warning of emerging threats. Incidents could severely impact banks, preventing them from assisting customers. The sooner federal agencies are aware of these threats the better they can assist banks. Federal agencies would be able to approve requests for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection. This rule would also give federal agencies more data so they can better analyze activity across all banking organizations, allowing federal agencies to better formulate response plans to national threats.

Currently banking organizations are required to notify their primary federal regulator “as soon as possible” when they become “aware of an incident involving unauthorized access to or use of sensitive customer information” by filling a Suspicious Activity Report (SAR).

However, SARs do not provide enough information to federal agencies as they are typically required only when there is suspected criminal violation of federal law or a suspicious transaction related to a money-laundering activity.

Likewise, under the Gramm-Leach-Bliley Act (GLBA) banking organizations are expected to report incidents if the organization becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information. The authors of the proposed rule find this scope of SARs and GLBA too narrow.

Features of the new rule

A key difference between current regulations and the proposed rule is the requirement that any computer-security incident that rises to the level of a notification incident must be reported within 36 hours. [A computer incident is defined as any event that harms or potentially harms the confidentiality, integrity, and availability of an information system. A notification incident is any event that could disrupt, degrade, or impair banking operations or services to customers.]

Previous rules have asked that incidents be reported as soon as possible but regulators found that with out the strict time limit organizations failed to report promptly. The 36-hour requirement tightens the time frame in which banking organizations must respond compared to other regulations with a time limit. Previous rules such as New York Department of Financial Services’ Cybersecurity Regulation and the European Union’s GDPR have given banking organization up to 72 hours to notify regulators of incidents.

A second key change would require banking service providers to report incidents to at least two individuals at the respective banking organization immediately after an incident has been detected. This differs from the current regulations set by the Bank Service Company Act (BSCA) that has no reporting requirements for service providers.

Industry Cost Estimates

The federal agencies who wrote the proposal projected the cost of the rule. They estimate that banking organizations may need to notify regulators of 150 incidents per year. With each incident, they expect at least three hours of staff time to organize a response and notify their federal regulator.

The federal agencies expect at least 2% of bank service providers would need to report incidents under the proposed rule. They estimate that each response by a bank service provider will take an average of three hours. However, the agencies were not certain of their estimate for bank service providers and are looking for comments on the number of incidents banking service providers would receive.

The federal agencies considered not making changes to the current rules but decided that the risks involved in banking were too high to keep the rules are they were. They also considered changing the requirements for SARs. They found that to get the information they needed, changing the SARs would be too costly. The agencies’ goal was to minimize the burden on banking organizations while still getting the necessary data.

Comments due in April

The proposed rule is open for comments until April 21, 2021. Regulators will listen to any comments but are specifically looking for comments on the definitions they provided in the proposed rule. A complete listing of all topics for comments can be found in section 4 of the Supplementary Information attached to the proposed rule.
For more information go here.