About Us | Contact Us
View Cart

FDIC and OCC Release New Incident Notification Rules

By Adam Reynolds | Monday, January 31, 2022 - Leave a Comment

An update to your Incident Response and Business Continuity Plans will be required . . .


. . . but will not replace any previous rules!
A new article meant to inspire thought about IT Governance…


Note: We have included a copy of the publication for your full review at the end of the article. Click here to go to it.

A final rule published by the FDIC, OCC, and the Federal Reserve is coming into effect May 1st and is changing the notification requirements for our primary federal regulators. This rule will not only require a change in our Incident Response Plan, but also in our Business Continuity Plan as well. Previous notification requirements focused on incidents involving security and confidentiality, such as customer information disclosures, but now the notification requirements are focusing on availability and operational aspects as well. The rule does not change any previous requirements for notifications, but now requires notification within 36 hours of a newly defined incident type, notification incidents.

The rule has two parts, the first defining requirements for banks to notify their primary federal regulators, and the second for bank service providers (those providing covered services subject to the Bank Service Company Act) to notify banks during actual and potential material service disruptions for four or more hours.  In this article we will be focusing on the first requirement in the rule, but it is important to know for the second requirement your bank service providers will be required to have a bank-designated point of contact for notification, and this notification could lead to the requirement to notify the primary Federal regulator by the bank.  Originally this was to be two points of contact but removed with consideration for smaller institutions, so be sure to have a continuity process to watch for these notifications if there is only one contact. It is our expectation that financial institutions will need to update contracts with vendors to codify this requirement, especially if your vendors are not supervised by the regulators. Vendor inventories will also need to include a flag for vendors covered by this regulation.

The rule now requires financial institutions to notify their primary Federal regulators as soon as possible, and within 36 hours, of notification incidents, which are defined as “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

We will focus on the first two statements (i and ii) as most reading this will not have operations where failure or discontinuance would pose a threat to the financial stability of the United States (<$50B). This new rule can then be condensed by asking three questions. First, has an incident occurred that resulted in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits (a computer-security incident)? This type of incident is defined in the rule as a “computer-security incident” as it involves an information system or the data that resides on such a system, but that would not necessarily translate to an incident as defined in a typical Incident Response Plan (it is clarified in the rule the definition includes incidents from whatever cause, as it is the effect of the incident that is important). While an incident that affected confidentiality or integrity of those systems would normally trigger the incident response plan, an incident that affected only the availability of such systems may not and is why the Business Continuity Plan needs updated to address this rule as well.

If such an incident did occur after asking the first question, there are then two qualifying questions to ask to determine if notification is necessary. The first question is if the incident has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, your ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of your customer base, in the ordinary course of business. And the second is if the incident has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, your business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value. If either of these two statements are true, notification is required. It is also important to remember this does not include minor incidents, it must (or potentially) affect a material portion of your customer base or include a material loss of revenue, profit, or franchise value. If in doubt as to whether it is a notification incident for purposes of notifying your primary Federal regulator, it is encouraged to contact your regulator (see provided examples at the end of this article).

Adam Reynolds, CISSP
Lead Non-Technical Auditor

 

This notification is required after the organization has determined that a notification incident has occurred. As noted in the rule, the agencies do not expect that an organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computer-security incident. Rather, the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. Finally, the rule does not define any particular notification approach, stating “A simple notice can be provided to the appropriate agency supervisory office, or other designated point of contact, through email, telephone, or other similar method that the agency may prescribe. The notifications, and any information related to the incident, would be subject to the agencies’ confidentiality rules.”

Of course, with this new requirement, updating your incident response plan and business continuity plan will be required as well. One way to accomplish this would be by creating a new section in the plans, titled Primary Federal Regulator Notification.  This section would need to apply to any incident classification in the incident response plan, and any incident effecting the two statements (i and ii) above in the business continuity plan. Within those sections, then ask the three questions above to determine if notification is required and define the notification process.  And as with any update, it’s also important to test the plan afterwards to ensure the team is familiar with any changes. Please visit our Template Library for a copy Incident Response Plan and/or Business Continuity Plan boilerplates to address this new requirement.

The following is a non-exhaustive list of incidents that generally are considered ‘‘notification incidents’’ under the final rule:

  • Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
  • A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
  • A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
  • An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
  • A computer hacking incident that disables banking operations for an extended period of time;
  • Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections; and
  • A ransom malware attack that encrypts a core banking system or backup data.

In addition to this article we would like to give you the opportunity to download the new rule. Click the button below to get the PDF.


Original article by Adam Reynolds CISSP. Lead Non-Technical Auditor, infotex

Interested in any of infotex’s services? Visit offerings.infotex.com to request information!


same_strip_012513


 

Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]