Skip to main content
Article

Banking cyber alert

Cyber incident notification rulemaking

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

April 14, 2021

A new change to the cyber event notification provision as OCC, FDIC and the Federal Reserve publish a notice of proposed rulemaking.

This article was originally published in North America.

“New proposed cyber incident notification rulemaking – another reason for banks to closely review and understand their vendor risk”

On January 12, 2021, the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and the Federal Reserve published a notice of proposed rulemaking requiring banks and “bank service providers” to notify their primary federal regulator of a computer incident that rises to the level of a notification incident “as soon as possible, but no later than 36 hours after the banking system believes in good faith that the incident occurred.” This joint announcement shows the concern the federal government has for the potential of a large-scale disruption to the banking system from a computer security incident.1

Although all fifty states have cyber event notification provisions in place, the proposed rule represents the most recent step by regulators to require banks and other financial institutions to report cyber incidents within an ever-shrinking timeframe. For example, in 2017 the New York Department of Financial Services enacted a provision requiring notification within 72 hours of the determination that an event occurred.2

Though a final rule has the potential to look markedly different, there are several key portions of the commentary we believe are worth reflecting on an effort to help bank risk managers proactively address internal controls. The first item of note is the requirement for banks and their service providers to give notice in the event of a computer incident. Banking organizations would be required to notify their primary federal regulator, as noted above. Bank service providers would be required to notify at least two individuals within any affected banking clients in the event of a computer security incident that could disrupt service for 4 or more hours.1 This has material implications for how vendor relationships are managed throughout the enterprise, as increased reporting requirements and contingency communication methods, potentially even testing, would be necessary. We recommend that risk managers review any standard contractual clauses on breach notice requirements to evaluate the most common and stringent obligations. Familiarity with standard vendor agreement contractual clauses for cyber incident notification will put risk managers in a better position to evaluate if any final rule would require amendments. Additionally, while banks are currently required to disclose their core service providers to regulators under the Bank Service Company Act, more attention should be paid to ensuring that such service providers are aware of their designation to eliminate any issues in certain vendors not appropriately notifying banking clients of computer incidents.

Another implication is the potential revision of business continuity and incident response plans to incorporate the notification of primary federal regulators. Although these plans likely already contain statutory notification guidelines, the new regulation could require earlier notice than state regulations, condensing the current process.  A proactive review of these plans, specifically around when to notify relevant state regulators, will position risk managers to make relevant recommendations in the event this regulation is enacted. It will be even more critical for banks to also closely review the incident response plans of their service providers. As banks continue to focus on strengthening vendor risk management, which has been increasingly important in light of recent high profile breaches of third-party service providers, this proposed rule would further underscore the need for comprehensive cyber security risk management and alignment with service providers.

From an insurance perspective, evaluating certain terms and conditions within an insured’s cyber insurance policy will be critical to identifying potential gaps and overlaps in the event the rule is finalized.  For example, it will be important to evaluate how the notice and knowledge requirements in the new regulation align with those in the cyber policy and how the policy defines banking service providers.

Despite the material challenges that any regulation presents, the new rule could provide clarity for the banking industry, foster greater collaboration between banking organizations and ultimately protect all participants in the banking system by reducing the risk from cyber threats. 

The Willis Towers Watson FINEX Cyber and Financial Institutions Team will continue to monitor the status of the regulation in order to provide a comprehensive view of its potential impacts.


Footnotes

1 https://www.federalregister.gov/documents/2021/01/12/2020-28498/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank

2 https://casetext.com/regulation/new-york-codes-rules-and-regulations/title-23-financial-services/chapter-i-regulations-of-the-superintendent-of-financial-services/part-500-cybersecurity-requirements-for-financial-services-companies/section-50017-notices-to-superintendent

Contacts

Emily Lowe
Director, FINEX North America

Banking Industry Leader, FINEX

Peter Brandys
Lead Relationship Manager - Banking

GB Head of FINEX Financial Institutions

Related Capabilities

Contact Us