This article was written by Chris Salone, CISA, CCSFP, MBA
In the final quarter of 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the agencies), issued a rule requiring any FDIC insured financial institution to notify its primary Federal regulator of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident.’’ The Federal regulator must be notified as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to inform each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. Banks and their service providers must comply with the Final Rule starting May 1, 2022.
In the rule, the agencies define a “computer-security incident” as
- “an occurrence that results in actual harm to an information system or the information contained within it.”
When a computer-security incident has occurred and has risen to the level of a “notification incident,” formal communication to the Bank’s primary Federal regulator must occur. In the rule, a “notification incident” is defined as
- “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair—
- the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- any business line of a banking organization, including associated operations, services, functions, and support, and would result in a material loss of revenue, profit, or franchise value; or
- those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
In the final rule, the agencies provide several examples of “notification incidents,” some of which include:
- Denial of service attacks that disrupt customer account access for an extended period.
- Widespread system outages for at critical Bank service provider that causes extended downtime for a key Banking or Business application.
- An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan.
- A computer hacking incident that disables banking operations for an extended period.
- Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines.
- A ransom malware attack that encrypts a core banking system or backup data.
FDIC-supervised banks can comply with the rule by reporting an incident to their “case manager,” who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: email@example.com.
How your Institution Can Prepare:
FDIC Insured Banks should, as soon as practical, review the rule (embedded below) and assess the needed changes to the following:
- Information Technologies and Cybersecurity Policies
- The Computer Security Incident Response Program/Policy
- Annual IT and TSP / Vendor Risk Assessments and Program
- Security Awareness Training
- Information Technology Internal Audit
- Cybersecurity testing (Penetration testing, etc.)
FoxPointe Solutions, a division of The Bonadio Group, is equipped and prepared to help your organization prepare for these requirements. We would be happy to answer any questions you may have or provide you with additional information. Reach out today.