Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers

5/31/2022 - By Stephen Reyes, CISA, CISSP

As of May 1, 2022, banks must now notify their primary federal regulator within 36 hours of determining a "notification incident" has occurred, while a bank service provider is required to notify each affected bank "as soon as possible" if an incident is "reasonably likely" to cause a disruption for more than four hours.

The final rule added some definitions and clarification in response to comments provided during the comment period. The definition of a "computer security incident" was narrowed down to "an occurrence that results in actual harm to an information system or the information contained within it.” This final definition no longer contains any reference to malintent or violation of policies, procedures or laws. In addition, the agencies provided seven examples of what are considered "notification incidents," although the list is specifically noted as "non-exhaustive" and requires banking organizations to consider on a “case-by-case basis” whether an incident constitutes a "notification incident."

As noted in the final rule, the agency received several requests to provide guidance about what information should be included in the notification and even requests for a notification template. The Agencies declined to provide this clarification noting only that, “The agencies anticipate that banking organizations will share general information about what is known," and that, "No specific information is required." The final rule requires each agency to provide a designated contact through “e-mail, telephone or other similar methods that the agencies may prescribe.”

Servicing organizations are required to notify a ‘bank-designated point of contact’. This is notable as banks should consider the need to update agreements with vendors to ensure they designate the proper point of contact for service organization notifications. Note that notification from a vendor does not necessarily create a notification incident. The agencies noted the bank is responsible for making that determination, not the servicing organization.

Ultimately, the vagueness remains making complete compliance challenging. At the very least, this ambiguity will lead to excessive reporting. The rule even anticipates this noting, “The agencies recognize that a banking organization may file a notification, from time to time, upon a mistaken determination that a notification incident has occurred, and the agencies generally do not expect to take supervisory action in such situations.” At this point, it appears prudent to err on the side of reporting an incident, even if it may not actually be a required “notification incident.” However, perhaps the data gathered will allow the agencies to improve the process in the coming years and updates will be published providing more clarity.

Source: Federal Register/Vol 86, No. 223 of Tuesday, November 23 2021.

About the Author | Stephen Reyes, CISA, CISSP

Stephen is a shareholder and leader of the Information Technology Services practice of Saltmarsh, Cleaveland & Gund. He joined the firm in 1997 and has been practicing in this field since 1990. His experience includes computer networking and technology consulting. Stephen is a Certified Information Systems Auditor, Microsoft Certified Systems Engineer and a Cisco Certified Network Associate. He also holds certifications with ISACA, Novell, Citrix and CompTIA. Stephen has assisted a number of financial institutions with IT compliance audits, security audits, as well as system selection, implementation and conversion.