36-hour violation notification rule to come into effect for banking organizations | Cooley LLP

On November 18, 2021, three American agencies – the Office of the Comptroller of the Currency (OCC), on Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC) – issued a common rule concerning notifications of IT security incidents, which will come into force on April 1, 2022, with a full compliance date of May 1, 2022. The rule establishes the reporting requirements of IT security incidents for banking organizations and their service providers banking services. Unlike existing breach notification laws, the rule focuses on incidents that impact the operations of banking organizations.

Which organizations does the rule apply to?

The rule applies to “banking organizations”, which, for the OCC, include national banks, federal savings associations and federal branches and agencies of foreign banks. For the FRB, “banking organizations” includes all US bank and savings and loan holding companies, member state banks, US operations of foreign banking organizations, and Edge and Agreement companies. For the FDIC, “banking organizations” includes all insured non-member state banks, branches of state-licensed foreign banks, and insured state savings associations. Banking organizations are akin to owners or controllers of data under current breach notification laws and have a primary obligation to notify regulators of a security incident.

The law also applies to “banking service providers” (BSP), meaning any “banking service company” or any other person who provides “covered services”, which are services provided by a company. “Person” who are subject to the law on banking services companies (12 USC 1861-1867), and includes sorting and accounting for checks and deposits, calculating and recording interest and other credits and charges, preparing and sending checks, statements, notices and similar items, or any other office function , bookkeeping, bookkeeping, statistics or the like carried out for a depository institution.1 In this context, BSPs play the role of service providers, maintainers or data processors under existing data breach notification laws. In the event of a reportable IT security incident, the BSPs must notify the banking organizations concerned by the incident.

What is the trigger for a notification under the rule?

Obligations of banking organizations

Under the rule, banking organizations must notify their primary regulator (OCC, FDIC or FRB), as soon as possible and no later than 36 hours after the banking organization determines that an “incident. computer security “has occurred which reaches the level of a” notification incident “. It is important to note that the 36 hour clock does not start until the thresholds for each definition are met. Thus, in many cases, banking organizations can reasonably take the position that the time spent investigating an incident does not count towards the 36-hour period until the terms of each definition – which include confirmation. of “actual damage” and of a disturbance or material degradation of the bank operations, as described in more detail below – are met.

The rule defines a “computer security incident” as “an event that results in real harm the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits ”(emphasis added). However, the rule does not define “actual damage”. Compared to other breach notification laws, the standard of “actual harm” is a high standard for triggering notification – it arguably does not include incidents where harm has not been confirmed, even when there is a suspicion of potential harm, or when the harm has not been detected but cannot be excluded either.

Even if the definition of computer security incident is met, the incident is not a “reporting incident” to report unless it has materially disrupted or degraded, or is reasonably likely to cause harm. significantly disrupt or degrade:

  • Ability to carry out banking operations, activities or processes, or to provide banking products and services to a significant portion of its customers, in the ordinary course of business.
  • Lines of business, including related operations, services, functions and support, which, if failed, would result in a significant loss of revenue, profits or franchise value.
  • Operations, including associated services, functions and support, if any, the failure or interruption of which would constitute a threat to the financial stability of the United States.

Here, unlike traditional breach notification laws which focus on breaches affecting personal information, the rule focuses on the operational impacts of security incidents. In addition, in addition to the actual harm threshold, a notification is only triggered if the standard of disturbance or material degradation is met. Based on this dual-trigger approach, affected banks will in many cases be able to reasonably conclude that certain security incidents will not need to be reported to regulators.

In fact, the three US agencies have recognized that not all IT security incidents are reportable and provide a non-exhaustive list of incidents that are generally considered a “notification incident” under the final rule:

  • Large-scale distributed denial of service (DDoS) attacks that disrupt customer account access for an extended period of time (for example, more than four hours).
  • A BSP used by a banking organization for its primary banking platform to operate business applications experiences widespread system failures and the recovery time is indeterminable.
  • System upgrade or change failure resulting in widespread user outages for customers and employees of the banking organization.
  • Unrecoverable system failure that results in the activation of a banking organization’s business continuity or disaster recovery plan.
  • A hacking incident that disables banking operations for an extended period of time.
  • Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business or critical operations, or causes the banking organization to disengage any compromised product or information system that supports them. business lines or critical operations of the Internet banking organization network connections.
  • A ransomware malware attack that encrypts a primary banking system or backup data.

Again, all of these examples focus on the disruption or degradation of banking operations and focus more on critical infrastructure and service availability issues than consumer privacy.

Obligations of banking service providers

A banking service provider must notify a “bank designated point of contact” in each banking organization affected by a computer security incident “as soon as possible” after determining that it has experienced a computer security incident that ” has materially disrupted or degraded, or is reasonably likely to disrupt or materially degrade the Covered Services provided to that banking organization for four hours or more. Below, we’ve outlined some interesting nuances to the reporting obligations associated with BSPs.

  • Triple trigger: BSPs arguably have a higher reporting threshold (i.e. less likely to trigger a notification) than banks, as the rule identifies three triggers: actual harm, physical disruption or degradation, and minimum four o’clock. As such, even if a security incident causes disruption or material damage, it is not necessary to report it unless it is “four hours or more”. It is not clear how to measure continuity in this context.
  • Four hour trigger in addition to other triggers: Some might view the four hour downtime requirement as establishing a threshold to define the “materiality” of degradation or disruption of services at a BSP. However, the language clearly appears to require degradation or material disturbance. and that it lasts four hours or more.
  • Establish a point of contact designated by the bank: The rule considers scenarios in which multiple bank customers of a BSP are affected by a single incident. If the BSP has not received a contact point designated by the bank by its bank clients, it should inform the CEO and CIO of each bank (or two other persons with comparable responsibilities).
  • Routine maintenance exception: Notification is not required for service interruptions due to scheduled maintenance, testing, or software updates previously communicated to a customer of a banking organization. As such, the rule appears to effectively require BSPs to notify any scheduled software maintenance, testing, or updates that could significantly degrade or disrupt services if maintenance, testing, or updates last for four hours or so. more.

Our opinion

The rule represents another obligation that financial institutions and their suppliers must take into account in the event of a security incident. The rule is more focused on ransomware and DDoS attacks that destroy a bank’s systems, but the same incident could also affect consumer data and trigger GLBA reporting guidelines, GDPR, and foreign breach laws. state financial regulatory requirements and state violation laws. Banks and BSPs should consider updating their incident response plans to take into account all of these requirements.

In the event of a suspected data incident, you can contact members of Cooley’s Incident and Data Breach Response team at [email protected] or +1 844 476 1248.


  1. “Depository Institution” means an insured bank, savings association, financial institution subject to review by the appropriate federal banking agency or the Board of Directors of the National Credit Union, or a financial institution whose accounts or Deposits are insured or guaranteed under state law and are eligible to be insured by the FDIC or the National Credit Union Administration Board.

[View source.]

Michael J. Birnbaum