September 21, 2023
Security Incident Notification Rule and Service Providers
Back in November of 2021, the OCC, FRB, and FDIC jointly issued a final rule requiring banking organizations to notify their respective regulators within 36 hours of a declared computer-security incident. (https://www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf)
Similarly, beginning September 1, 2023, the NCUA mandated a similar notification rule with one important difference: The NCUA must be notified within 72 hours. (Cyber Incident Notification Requirements: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/cyber-incident-notification-requirements)
In addition to the requirement to notify regulators of a security incident, the joint OCC, FRB, and FDIC rule states that “bank service providers are required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” To determine which service providers are subject to the rule:
- “A bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider.”
- “Covered services are services performed, by a person, that are subject to the Bank Service Company Act (BSCA) (12 U.S.C. 1861–1867). Services covered by the Act include check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.” Additionally, according to the American Bankers Association, “The agencies have also interpreted the notification requirement to include third parties that provide data processing, Internet banking, and mobile banking services.” (https://www.aba.com/banking-topics/compliance/acts/bank-service-company-act)
Therefore, even though you may consider a vendor “critical,” that doesn’t mean they would be subject to the notification rule. For example, your Internet service provider may be ranked as “critical” within your vendor risk assessment; however, they would not reasonably qualify as providing a covered service.
Next, the requirement for bank service providers to “notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours” also warrants some consideration.
Some good news is you don’t need to fix any related bank service provider contracts. If your existing agreements don't specifically mention any notification obligations (or they happen to differ from the rule), the rule steps in and enforces the four-hour requirement. From the rule: "Furthermore, while the agencies agree that incident notification is generally addressed by contract, we believe that this issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability, without the necessity of revising contractual provisions.” and “The agencies also note that the notification requirement created by this rule is independent of any contractual provisions, and therefore, bank service providers must comply even where their contractual obligations differ from the notification requirement in this rule.”
Authored by: David Matt, CISSP, CEH
You May Want to Read More:
Pig Butchering – What to Know About this Virtual Currency Scam and FinCEN Alert FIN-2023-Alert005 - WST
September 14, 2023
The Financial Crimes Enforcement...
Standard Password Complexity Rules Just Don’t Cut It Anymore - WST
September 7, 2023
Microsoft Active Directory has had password complexity requirements....
YOU ARE 10-D’s BEST CLIENT(S) - WST
August 31, 2023
At 10-D, we appreciate you, our clients! We truly enjoy working with you and our partnership. To share some of the reasons we....