The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board) and the Federal Deposit Insurance Corporation (FDIC) have come together to announce the issuance of a final rule in the banking industry. The rule addresses computer-security incident notification requirements for banking organizations and all related service providers, helping to promote early awareness of emerging threats to the broader financial system. The rule requires banking institutions and relevant service providers to do the following:
- Identify large-scale distributed denial of service attacks that disrupt customer account access for a period of time greater than 4 hours.
- Inform its primary federal regulator as soon as possible and no later than 36 hours after the attack has been identified.
- Appoint a point of contact for customers as soon as possible after a large-scale denial of service attack has been identified.
The final rule will come into effect on April 1, 2022 and is followed by a May 1, 2022 compliance requirement.
What is the Rule’s Impact?
Banking organizations covered under the rule issuance supervise roughly 5,000 depository institutions, not including holding companies and bank service providers. Additionally, Security Assessment Report (SAR) data analysis cited in the rule issuance indicates that there are approximately 150 annually occurring notification incidents* and that that number will likely grow in the future. With the issuance of the rule, a considerable number of organizations across the nation will be better equipped to protect a piece of critical national infrastructure.
The rule will require organizations to start conversations at the top of the command chain, inciting solution-based strategic planning with key stakeholders like Chief Executive Officers (CEOs), Chief Information Officers (CIOs) and Chief Security Officers (CSOs), and senior legal and compliance staff – all of which empower liaison across all silos of business.
* A notification incident is a term specific to this rule, referencing “…occurring incidents that would require federal regulator notification. This number of notification incidents is likely to grow in the future.” See the issuance for more context.
When is an Incident a Notification Incident?
A notification incident is defined per the rule issuance as “…an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” This means that any incident falling into the defined category requires a notification response.
Why is Incident Notification Important?
Timely incident notification is important for a myriad of reasons. When organizations take incident notification seriously, it enables governing bodies to have an early awareness of threats and provides industry fellows with visibility into emerging threat trends. Specifically, this empowers leaders across the IT and security space to identify systemic risk, mitigation techniques and allows for improved threat analysis and risk planning.
Why Incident Notification is Valuable to the Banking Industry
Timely incident notification is critical to the functionality of the banking industry. Prompt response and subsequent notification not only promotes threat education, but also provides insight to the following:
- Incident isolation: If an incident is deemed to be isolated, there will be more immediate support available from the organization’s primary federal regulator. This means that organizations could be considered for grants and other forms of financial support to bring banking services back to normal functionality.
- Affected financial obligations: Incident notification provides immediate transparency around the effects of large-scale attacks and promotes trust between customers and banking authorities. Additionally, the disclosure of affected systems allows industry peers to better prepare for similar lapses in service.
- Adverse liquidity events: If a notification incident and is handled in a non-transparent manner, it has the potential to reduce trust in the banking industry as a whole. Without the proper notification techniques in place and a clear prioritization of trust, rapid withdrawal of financing solutions could lead to a large-scale collapse in the banking industry and economic disparities.
Given the nature of the banking industry’s influence, prioritizing the implementation of a notification strategy is critical to sustaining the national and global economies.
Examples of Notification Incidents and Large-Scale Denial of Service Attacks
Large-scale distributed denial of service incidents that disrupts customer account access for an extended period of time can take many different forms, from an unauthorized breach to a malware infection or ransomware attack. The following are 7 common types of notification incidents as defined by the final rule issuance:
- Large-scale distributed denial of service attacks that disrupt customer account access for more than 4 hours.
- Widespread external outage with unknown recovery time.
- Widespread internal outage with unknown recovery time.
- Crisis response or business continuity plan activation.
- Operationally disabling computer hack.
- Malware that threatens critical lines of business.
- A ransomware attack that encrypts a core banking system or backup data.
How can OneTrust Help with Notifications and Incident Response?
The OneTrust platform leverages expertise in GRC, specializing in Vendor Risk Management, Privacy, Incident Management and many other categories to deliver an immersive security and privacy management experience. A key component of the OneTrust incident management solution is identifying related jurisdictions, governing authorities, and notification requirements based on the context of the incident. We enable you to gain visibility into all aspects of your organization’s security structure and empower incident-based notification through the provision of use-case specific functionality. Organizations can adhere to incident notification timelines without losing focus on response and recovery efforts. Such functionality enables seamless proactivity throughout incident management and allows organizations to prioritize trust and transparency as a competitive advantage.
- Download the Data Sheet: OneTrust GRC for Finance
- Watch the Webinar: Third Party Financial Risk
- Read the Blog: 5 Third Party Risk Resources for Banking and Financial Institutions
- Watch the Video: TPRM Finance Best Practices
- Try OneTrust Today: Request a Demo