February 16, 2022
Financial Institutions & Banking Disputes Alert
Author(s): Christopher Queenin, Christopher M. Mason, Jason C. Kravitz
New reporting requirements for banks follow trend of increasing federal oversight of computer security incidents.
Over the past year, the federal government has continued to increase the pressure on private companies to report cybersecurity incidents and data breaches. In October, the Justice Department announced how it would use the False Claims Act to pursue companies that receive payments from the government and knowingly violate obligations to monitor and report cybersecurity incidents and breaches. At the end of December, the Department of Defense announced a revised set of cybersecurity standards for government contractors and subcontractors (dubbed Cybersecurity Maturity Model Certification 2.0).
Continuing this theme, financial institutions regulated by the Federal Deposit Insurance Corporation (the FDIC), the Board of Governors of the Federal Reserve System (the Fed), and the Office of the Comptroller Currency (the OCC) will now face new computer-security incident notification requirements in a rulemaking common to all three agencies. The new requirements for these financial institutions appear in a recently issued final rule (the Final Rule) with a May 1, 2022, compliance deadline.[1] Banks should make sure that they are carefully reviewing the new requirements and updating their policies (including risk assessments, information security programs, and incident response plans) as well as coordinating with their service providers about the new obligations they share.
The notification requirement in the Final Rule is notable for its very short reporting window—36 hours. This is even shorter than, for example, the 72 hours in Defense Department regulations, such as 48 C.F.R. § 252.204-7012(a) (”Rapidly report” means “within 72 hours of discovery of any cyber incident”), and similar time periods under the GDPR or some state laws. The intended purpose of this short time frame is to ensure an early alert to a bank’s primary federal regulator of the occurrence of any significant computer-security incident so that the regulator can react to the threat before it becomes a broader, potentially systemic, issue.
Here are the highlights of the Final Rule:
The Final Rule defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” As we will see below, this covers far more than data breaches.
The agencies recognize that banks manage computer-security incidents every day, and are not requiring banks to report each such incident. Instead, only those computer-security incidents that rise to the level of a “notification incident” must be reported.
A “notification incident” is defined as a computer-security incident that is “reasonably likely” to materially disrupt or degrade a bank’s:
Because of this “reasonably likely” standard, a bank will not have to notify its regulator when adverse consequences are merely possible or capable of being imagined. Still, it is likely that minds will differ in some instances as to when a notification incident is reasonably likely to cause a material disruption or degradation. To that end, the Final Rule includes a non-exhaustive list of seven examples of what the agencies generally consider “notification incidents”:
Because this list is only illustrative, institutions must evaluate, on a case-by-case basis, whether an incident is significant enough to require notifying the bank’s primary regulator. The Final Rule cautions that, if a bank is in doubt, it should err on the side of notification.
Importantly (and unfortunately, for the regulated entities) the Final Rule does not supersede or replace any other breach notification laws. The agencies considered whether existing laws and reporting standards would meet the goals of the Final Rule and concluded that they would not. Thus, a notification incident could trigger multiple different laws.[2] The agencies also expect that a bank that experiences a computer-security incident that may be criminal in nature will, as appropriate, contact relevant law enforcement or national security agencies.
A bank must report a notification incident within 36 hours of “determin[ing] that a notification incident has occurred.” This 36-hour notification requirement is shorter than most other data breach laws.
However, the 36-hour clock only starts once a bank “determines” that a notification incident has occurred. Many other breach notification laws, by contrast, start once an organization begins investigating or “becomes aware” of a breach. For example, the 72-hour clock under the GDPR starts once an organization “become[s] aware of a breach.” GDPR, Art. 33. The use of the term “determines” in the Final Rule potentially gives a bank some additional cushion of time to examine the nature of the incident and assess whether it rises to the level of a notification incident. But this time will be limited by the circumstances and the default position of the Final Rule is that if a bank is in doubt as to whether it is experiencing a notification incident, it should notify its primary regulator. (The agencies, therefore, also recognize that a bank may file a notification from time to time based on a good-faith, but mistaken, determination that a notification incident has occurred when one actually has not.)
Aside from regulatory enforcement, as with any data security incident, there is a risk of class action litigation by affected customers (and qui tam actions under the False Claims Act if the institution receives federal payments) if a bank fails to promptly report an incident that must be reported under the Final Rule. This is true even though the Final Rule does not include its own private right of action in favor of bank customers. Clever plaintiffs’ counsel will have no trouble advancing theories based, for example, on unfair and deceptive practices theories whether or not such claims are ultimately sustained.
Banks and their service providers should take certain actions now in anticipation of the May 1, 2022, compliance deadline. These actions include the following:
Financial institutions already deal with too many multiple and overlapping reporting and notification requirements. The Final Rule does not help relieve this complexity. But its prompt notification regime will help contain incidents that might otherwise spread or repeat. Furthermore, if an incident is isolated by prompt reporting, the Final Rule provides that regulators may be willing to assist the reporting institution in mitigating the impact of the incident. Such assistance may be especially helpful to smaller institutions and community banks that have more limited resources. And finally, while the timing requirement in the Final Rule may be onerous in and of itself, there is little doubt that prompt action in response to cyber incidents is highly likely to be one of the most effective ways to reduce the ultimate costs of those incidents to an institution.
Continuing the trend of federal involvement in regulating data breaches, on February 9, 2022, the Securities and Exchange Commission (SEC) voted to propose a new rule regarding cybersecurity risk management for investment advisors and registered investment companies, including business development companies. The SEC’s proposed rule would require that investment advisors and funds implement written policies and procedures to address cybersecurity risks, and notify the SEC within 48 hours of concluding that a significant cybersecurity incident has occurred or is occurring.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.