In December 2020, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) proposed new cyber incident notification requirements for institutions that they regulate and their service providers (the “Proposal”).1 If adopted, the Proposal would expand and clarify existing notification requirements for financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the Proposal would require service providers to notify their financial institution if certain computer security incidents occur. While the Bank Service Company Act (“BSCA”) generally subjects service providers to supervision and examination by the Federal Regulators as if the services were performed by the financial institution, this authority has not been recently used to directly regulate the conduct of a service provider.2
Comments on the Proposal are due within 90 days of publication in the Federal Register, which is expected to occur later this month or early in 2021. This Legal Update provides some background information related to incident notification requirements and the BSCA and describes the new notification requirements set forth in the Proposal.
Existing Incident Notification Requirements
Historically, the Federal Regulators have required financial institutions to file two types of reports for certain cybersecurity incidents. First, under the safeguarding authority of the Gramm-Leach-Bliley Act (“GLB Act”), certain financial institutions are required to notify their Federal Regulator of incidents (including cybersecurity incidents) involving unauthorized access to sensitive consumer information. Second, under the reporting requirements of the Bank Secrecy Act, certain financial institutions are required to report incidents involving suspicious activity (described below).
The Interagency Guidelines Establishing Information Security Standards implement Sections 501 and 506 of the GLB Act and apply to national and state banks, savings associations, Edge and agreement corporations, branches and agencies of a foreign banks, and bank holding companies, and nonbank subsidiaries of the foregoing (excluding certain functional regulated entities such as broker-dealers, insurance providers, investment companies, and investment advisors).3 These safeguarding standards provide in relevant part that a financial institution’s incident response plan should provide for the notification of its Federal Regulator “as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.”4 The Federal Regulators have not further defined this reporting requirement, but some have provided guidance on the manner and form of the required reports.5
Under the Bank Secrecy Act, a financial institution is required to file a Suspicious Activity Report (“SAR”) with the Financial Crimes Enforcement Network (“FinCEN”) if it detects a known or suspected criminal violation of federal law or a suspicious transaction related to a money-laundering activity.6 This requirement covers attempts to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information and illegal activities carried out or facilitated by electronic systems and devices.7 While the Federal Regulators may review SARs, the purpose of filing a SAR typically is not viewed as facilitating incident reporting, nor does the SAR requirement cover all types of cybersecurity incidents. Further, the 30- or 60-day deadline for filing a SAR is not necessarily timely for cybersecurity investigation purposes or altering the industry to cybersecurity attacks.
In recent years, states have moved to impose broader cybersecurity incident reporting requirements on state-regulated financial institutions. For example, the New York Department of Financial Services requires institutions that it regulates to report certain cybersecurity events to the agency within 72 hours.8 Similar requirements have been imposed by some state insurance regulators as part of their adoption of the NAIC Insurance Data Security Model Law.9 These state laws are in addition to the consumer breach notification laws adopted by all fifty states and the District of Columbia, which may require notification to a state agency as well as the consumers.
Bank Service Company Act
The BSCA was adopted in 1962 to govern investments by banks in service companies that provided clerical activities.10 Originally, it required that a bank and a service provider provide assurances to the appropriate Federal Regulator that the service provider would be subject to examination and regulation to the same extent as the bank.11 In 1982, however, this requirement was replaced with requirements that (i) the bank provide after-the-fact notice of the relationship with the service provider to the appropriate Federal Regulator and (ii) the service provider be subject to examination and regulation by the Federal Regulator.12
The BSCA has been expanded over the years to cover more than clerical activities, and by its terms, encompasses check and deposit sorting and posting; computation and posting of interest and other credits and charges; preparation and mailing of checks, statements, notices, and similar items or any other clerical, bookkeeping, accounting, statistical, similar functions performed for a depository institution; and nonbank activities authorized before November 12, 1999, under Section 4(c)(8) of the Bank Holding Company Act of 1956, as amended (“BHCA”), other than deposit-taking.13
Proposed Notification Requirements
The Proposal contains notification requirements for financial institutions and their service providers. For these purposes, a financial institution would include a national or state bank, a savings association, an Edge or agreement corporation, a US branch or agency of a foreign bank, and a bank or savings and loan holding company. The Proposal does not expressly cover nonbank subsidiaries of banks or bank holding companies or the foreign operations of foreign banking organizations.
Financial Institution Notification
First, a financial institution would be required to notify its appropriate Federal Regulator of a “notification incident” as soon as possible and no later than 36 hours after the institution determines in good faith that a reportable event occurred. The notification may be provided in written or oral form (including email or telephone) and would be made to the institution’s designated point-of-contact at the Federal Regulator. The notification would convey whatever general information is known to the institution regarding the incident.
Under the Proposal, a “notification incident” would be defined as a computer-security incident that the financial institution believes in good faith could materially disrupt, degrade, or impair:
(i) the ability of the institution to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) any business line of an institution, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
(iii) those operations of an institution, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
A “computer security incident” would be further defined as “an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
The preamble to the Proposal recognizes that a financial institution would need to undertake a reasonable investigation to determine that a notification incident has occurred and explicitly states that this determination need not be made outside of normal business hours. It also clarifies that not all cybersecurity events are reportable and provides a non-exhaustive list of events that would rise to the level of a notification incident:
(i) Large-scale distributed denial of service (DDoS) attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
(ii) A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
(iii) A failed system upgrade or change that results in widespread user outages for customers and bank employees;
(iv) An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
(v) A computer hacking incident that disables banking operations for an extended period of time;
(vi) Malware propagating on a banking organization’s network that requires the banking organization to disengage all Internet-based network connections; and
(vii) A ransom malware attack that encrypts a core banking system or backup data.
The Proposal also discusses the interaction between the notification requirement and the resolution planning rule and indicates that institutions subject the resolution planning rule may rely on prior identification of core business lines and critical operations to inform the determination that an event is reportable. While all institutions must understand their operations sufficiently to make such determinations, smaller institutions are not required to map core business lines and critical operations.
Additionally, the Proposal indicates that a subsidiary institution should notify its parent institution of notification incident (in addition to the Federal Regulator), and the parent institution should consider if it must make a separate report to its Federal Regulator based on the indirect effect of the incident.
Service Provider Notification
For purposes of the Proposal, a service provider would be any person performing services for a financial institution that is subject to the BSCA.14 Notably, the Proposal would not further define the services that are subject to the BSCA, although the preamble states that it would include all activities that are permissible for a bank holding company under Section 4(c)(8) of the BHCA, including “components that underlie these activities.”
The Proposal would explicitly require a service provider to notify at least two individuals at each affected financial institution customer immediately after the service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. The preamble to the Proposal notes that the Federal Regulators believe that most existing service provider contracts already include incident-reporting provisions, but does not explain how the new requirement would interact with existing contracts or the need to amend those agreements to comply with this notice requirements.
Based on the list of reportable incidents for financial institutions above, a computer-security incident at a service provider also could trigger a reporting obligation by the financial institution, but this obligation would rest with the institution, not the service provider.
In the Proposal, the Federal Regulators indicated that the thousands of regulated financial institutions experience a total of approximately 150 notification incidents per year and estimate 120,000 service providers experience a total of approximately 36 computer security incidents each year. While these numbers are based on the experience of Federal Regulators and may seem low to industry observers, they appear to reflect the Federal Regulator’s high threshold for identifying an event as material.
Additionally, while service providers have long been subject to the BSCA, including examination by the Federal Regulators, the creation of affirmative regulatory requirements for service providers is an important development. Even if the regulatory requirement mirrors a service provider’s existing contractual obligation and the accompanying service levels, the provider may need to consider creating or modifying its compliance program to ensure that it satisfies any notice obligation under any final rule. We expect service providers will raise this issue in comment letters on the Proposal.
Lastly, the preamble to the Proposal indicates that a service provider is one who provides to a financial institution any service that is subject to the BSCA “as well as components that underlie these activities.” This could result in an expanded definition to include providers of services that only tangentially support a financial institution’s activities. Given the potential broader ramifications related to the BSCA, the Federal Regulators might consider further clarifying the scope of covered services.
1 Press Release, Agencies propose requirement for computer security incident notification (Dec. 18, 2020), https://www.federalreserve.gov/newsevents/pressreleases/bcreg20201218a.htm.
2 Service providers previously were subject to direct regulation under Regulation S, which was repealed in 1979. See 65 Fed. Res. Bull. 341 (Apr. 1979). Financial institutions are subject to regulation with respect to their relationships with service providers. E.g., OCC, Bull. 2013-29 (Oct. 30, 2013); FFIEC, BSA/AML Manual: Use of Third Parties (2014).
3 See 12 CFR pt. 30, app. B, supp. A; pt. 208, app. D-2, supp. A; pt. 225, app. F, supp. A; pt. 364, app. B, supp. A. Broker-dealers, insurance providers, investment companies, and investment advisors are subject to implementing regulations promulgated by the Securities and Exchange Commission and state insurance regulators, as appropriate. While the Interagency Guidelines Establishing Information Security Standards do not explicitly apply to savings and loan holding companies, many such institutions comply with them.
4 Id. Whether notification is required will depend upon a review of the particular facts and circumstances, including the type of consumer information subject to unauthorized access and the risk of harm to the consumers (e.g., misuse of the information about a customer has occurred or is reasonably possible).
5 See Federal Reserve, SR 05-23 (Dec. 1, 2005) (“an institution should provide the central point of contact with information on the steps taken to contain and control the incident, the number of customers potentially affected, whether customer notification is warranted, and whether a service provider was involved.”).