Banks May Have Less Time to Report Data Breaches Under Proposed Federal Rule

By Collin Connors, ERMProtect Security Consultant

Banking regulators are considering a proposed new rule that would require banks and their service providers to report certain “computer security incidents” within 36 hours of detection. The rule also broadens the definition of what needs to be reported. The relevant regulatory agencies are seeking industry comment through April 21, 2021.

The background

On January 12, 2021, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published a notice of proposed rulemaking (NPR) that would require banking organizations and bank service providers to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” within 36 hours of detection.

The proposed rule states that 36-hour time limit starts after the banking organization believes in good faith that an incident has occurred. The notification will not need to be an assessment of the incident; it is only intended to provide an alert to the banking organization’s primary federal regulator. Likewise, bank service providers will need to notify their banking organization immediately if they suspect an incident occurred that could disrupt, degrade, or impair services provided for four or more hours.

The goal of this new rule is to give federal agencies early warning of emerging threats. Incidents could severely impact banks, preventing them from assisting customers. The sooner federal agencies are aware of these threats the better they can assist banks. Federal agencies would be able to approve requests for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection. This rule would also give federal agencies more data so they can better analyze activity across all banking organizations, allowing federal agencies to better formulate response plans to national threats.

Currently banking organizations are required to notify their primary federal regulator “as soon as possible” when they become “aware of an incident involving unauthorized access to or use of sensitive customer information” by filling a Suspicious Activity Report (SAR).

However, SARs do not provide enough information to federal agencies as they are typically required only when there is suspected criminal violation of federal law or a suspicious transaction related to a money-laundering activity.

Likewise, under the Gramm-Leach-Bliley Act (GLBA) banking organizations are expected to report incidents if the organization becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information. The authors of the proposed rule find this scope of SARs and GLBA too narrow.

Features of the new rule

A key difference between current regulations and the proposed rule is the requirement that any computer-security incident that rises to the level of a notification incident must be reported within 36 hours. [A computer incident is defined as any event that harms or potentially harms the confidentiality, integrity, and availability of an information system. A notification incident is any event that could disrupt, degrade, or impair banking operations or services to customers.]

Previous rules have asked that incidents be reported as soon as possible but regulators found that with out the strict time limit organizations failed to report promptly. The 36-hour requirement tightens the time frame in which banking organizations must respond compared to other regulations with a time limit. Previous rules such as New York Department of Financial Services’ Cybersecurity Regulation and the European Union’s GDPR have given banking organization up to 72 hours to notify regulators of incidents.

A second key change would require banking service providers to report incidents to at least two individuals at the respective banking organization immediately after an incident has been detected. This differs from the current regulations set by the Bank Service Company Act (BSCA) that has no reporting requirements for service providers.

Industry Cost Estimates

The federal agencies who wrote the proposal projected the cost of the rule. They estimate that banking organizations may need to notify regulators of 150 incidents per year. With each incident, they expect at least three hours of staff time to organize a response and notify their federal regulator.

The federal agencies expect at least 2% of bank service providers would need to report incidents under the proposed rule. They estimate that each response by a bank service provider will take an average of three hours. However, the agencies were not certain of their estimate for bank service providers and are looking for comments on the number of incidents banking service providers would receive.

The federal agencies considered not making changes to the current rules but decided that the risks involved in banking were too high to keep the rules are they were. They also considered changing the requirements for SARs. They found that to get the information they needed, changing the SARs would be too costly. The agencies’ goal was to minimize the burden on banking organizations while still getting the necessary data.

Comments due in April

The proposed rule is open for comments until April 21, 2021. Regulators will listen to any comments but are specifically looking for comments on the definitions they provided in the proposed rule. A complete listing of all topics for comments can be found in section 4 of the Supplementary Information attached to the proposed rule.
For more information go here.

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

How Artificial Intelligence Will Drive the Future of Penetration Testing in IT Security

How Artificial Intelligence Will Drive the Future of Penetration Testing in IT Security

When we talk about proactively testing our environment or applications to detect vulnerabilities before a hacker can find them, we are talking about performing penetration testing or “ethical hacking” exercises …
What are Penetration Tests and Why Do You Need Them To Maintain IT Security?

What are Penetration Tests and Why Do You Need Them To Maintain IT Security?

What are Penetration Tests and Why Do You Need Them To Maintain IT Security?By Pooja Kotian, ERMProtect, IT Security Consultant Penetration tests involve performing highly technical tests and simulated attacks to identify the various pathways …
Use This Windows Feature To Help Track a Hackers’ Moves During a Data Breach

Use This Windows Feature To Help Track a Hackers’ Moves During a Data Breach

If you need help with a data breach, our incident response team stands ready to help utilizing techniques and methodologies developed in our 24 years in business as a cybersecurity services firm …