FoxPointe Security Hub

New Proposed Banking Breach Notification Regulation is Met with Criticism


As you were enjoying a cup of coffee the morning of December 18, 2020, you might have been arranging your Holiday plans or ordering a last-minute gift for a loved one. Or, perhaps, you’re part of the banking industry, and as part of your morning routine, you peruse various news outlets and stay up to date on the trends of the industry. If the latter is true, then you would have perked up when you saw the words “FOR IMMEDIATE RELEASE” on the Federal Deposit Insurance Corporation’s (FDIC) website as they announced a new proposed Cyber Breach Notification Regulation for federally supervised banking organizations.

Indeed, as part of a joint release including the FDIC, the Office of the Comptroller of Currency (OCC), and the Federal Reserve System, the “Agencies” announced that the new Breach Notification Regulation would “require supervised banking organizations to promptly notify their primary federal regulator in the event of a computer security incident.” Attached to the release on the website were the full details of the proposal, including the requirements for banks to notify their primary federal regulator of any computer security issue as soon as possible and no later than 36 hours after they determine such an issue has happened.

The proposed rule would broaden the previous definition of what constitutes a reportable incident (FFIEC FIL-27-2005) by defining a “computer-security” incident as an occurrence that:

  • Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or
  • Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

The proposed rule would also define a “notification incident” as:

  • A “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair – … the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Additionally, the proposed regulation introduces requirements for bank service providers. Stating that under the same circumstances of a cyber security incident as defined above, the service provider is required to notify “two individuals at affected banking organization customers”.

While individual states have long had their own Data Breach Notification laws for financial institutions, this new regulation would mark the first federal law requiring breach notification in all sectors. The proposed regulation was officially posted to the Federal Register on January 12, 2021, and within the proposal, the Agencies welcomed feedback and comments on their regulation and definitions, offering a 90 day “comment window” that closed on April 13.

Various banking experts and industry personnel took the time to examine the proposal and offer their constructive criticism. In a formal letter written to the Agencies by various financial groups, including the American Bankers Association (ABA), thoughts and concerns with the regulation were expressed. The letter emphasized that the new regulation would be too burdensome for financial institutions and that the proposed law bases its definition of a reportable incident on the National Institute of Standards and Technology’s (NIST) definition. The “Associations” commented that the NIST definition is too broad and not specific to the banking industry, and following that definition would lead to insignificant occurrences becoming reportable incidents. While the Associations were appreciative of the efforts to achieve transparency and clarity in the reporting of cybersecurity incidents, the letter calls for consideration to narrow the definition of a reportable incident include “only those incidents that result in ‘actual’ harm and that a banking organization ‘determines’ in good faith are ‘reasonably likely’ to cause the significant harms set forth in the rule.”

This new regulation has not yet been enacted or approved. Whether or not the Agencies that submitted this proposal will revise the regulation is yet to be determined. While the 90-day commenting window has passed, the proposal may be revised and then re-opened for further commenting and feedback, drawing out the process. In the meantime, institutions can prepare by ensuring that a well-crafted Incident Response Plan and Vendor Management Program are in place to help mitigate the risk of cyber security incidents and to potentially comply with this new regulation.

FoxPointe Solutions is immediately available and ready to assist you with securing your data and answering any questions you may have, contact us today.


This article was written and produced by Christopher Salone, CCSFP, MBA, FoxPointe Solutions. Looking to get in touch with Christopher? Reach out today:

FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.