Security Incident Notification Rule and Service Providers

Back in November of 2021, the OCC, FRB, and FDIC jointly issued a final rule requiring banking organizations to notify their respective regulators within 36 hours of a declared computer-security incident. (https://www.govinfo.gov/content/pkg/FR-2021-11-23/pdf/2021-25510.pdf)

Similarly, beginning September 1, 2023, the NCUA mandated a similar notification rule with one important difference: The NCUA must be notified within 72 hours. (Cyber Incident Notification Requirements: https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/cyber-incident-notification-requirements)

In addition to the requirement to notify regulators of a security incident, the joint OCC, FRB, and FDIC rule states that “bank service providers are required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” To determine which service providers are subject to the rule:

Therefore, even though you may consider a vendor “critical,” that doesn’t mean they would be subject to the notification rule. For example, your Internet service provider may be ranked as “critical” within your vendor risk assessment; however, they would not reasonably qualify as providing a covered service.

Next, the requirement for bank service providers to “notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours” also warrants some consideration.

Some good news is you don’t need to fix any related bank service provider contracts. If your existing agreements don't specifically mention any notification obligations (or they happen to differ from the rule), the rule steps in and enforces the four-hour requirement. From the rule: "Furthermore, while the agencies agree that incident notification is generally addressed by contract, we believe that this issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability, without the necessity of revising contractual provisions.” and “The agencies also note that the notification requirement created by this rule is independent of any contractual provisions, and therefore, bank service providers must comply even where their contractual obligations differ from the notification requirement in this rule.”

Authored by: David Matt, CISSP, CEH