UPDATE: Nov. 19, 2021: The Fed, OCC and FDIC approved a final rule Thursday requiring banks to notify their primary federal regulator within 36 hours of determining whether a "significant computer-security incident" could disrupt business or the stability of the financial sector, the agencies said.
The rule, which takes effect May 1, also requires bank service providers, such as technology vendors, to notify affected bank customers as soon as possible of any incident that could materially affect them for four hours or more.
The rule stems from a proposal the FDIC and OCC first floated in December 2020.
- A proposal Tuesday from the Federal Deposit Insurance Corp. (FDIC) and the Office of the Comptroller of the Currency (OCC) would require banks to notify their primary federal regulator within 36 hours of making a good-faith determination that a cybersecurity incident could materially disrupt, impair or degrade their operations, or threaten U.S. financial stability.
- Tuesday's measure also shifts some responsibility to a bank's technology vendor. Vendors would have to notify affected bank customers immediately of any incident that disrupted services for four hours or more.
- The proposal attaches a specific timeline to 15-year-old guidance instructing banks to notify their primary regulator "as soon as possible" about incidences of unauthorized access to sensitive customer data. Tuesday's update also covers disruptive incidents in which no customer data is exposed — a category previously left out.
The two regulators' proposal comes as banks face both an uptick in cyberattacks and fallout from past incidents. Attacks against the financial sector increased by 238% in the first five months of 2020, Tom Kellermann, head of cybersecurity strategy at VMware, testified on Capitol Hill in June, according to American Banker.
Beyond that, the sting of lost trust still lingers more than a year after a breach, allegedly by a former employee of cloud vendor Amazon Web Services (AWS), exposed the personal data of 106 million Capital One customers.
"The rule proposed by the agencies today provides appropriate balance — avoiding unnecessarily difficult or time-consuming reporting obligations while ensuring that regulatory agencies are in a position to provide assistance to a bank or the broader financial system when significant computer-security incidents occur," FDIC Chairman Jelena McWilliams said in a release.
Tuesday's proposal lists several examples of the type of incident that would warrant regulator notification — which could be as simple as phoning or emailing an agency official. Such incidents include large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time, failed system upgrades that result in widespread user outages and ransomware attacks.
Banks are also still obligated to file suspicious activity reports (SAR) up to 60 days after discovery of an incident.
It is unclear how Tuesday's guidance would have changed Capital One's response to the 2019 breach. A statement posted on Capital One's website, detailing the bank's post-breach actions, doesn't indicate exactly when customers were notified. The bank said it confirmed the breach July 19, but the statement was dated Sept. 23 — likely after the SAR was filed. News of the breach broke July 30, a day after FBI agents arrested the suspect in the case.
Nonetheless, the proposal puts an obligation on tech vendors, a facet that was missing in both the Capital One breach — when an AWS official said the burden of cloud security fell on customers — and in the case of a 2018 BB&T outage.
That bank, now part of Truist, sued vendor Hitachi Vantara, claiming the company was responsible for the "catastrophic" outage, which kept millions of customers from accessing the bank's online, mobile, ATM and wire transfer services for 15 hours over several days.
The outage cost the bank "about $15 million in lower deposit service charges and about $5 million in higher operating expenses," Daryl Bible, now CFO of Truist, told analysts in April 2018, according to the Winston-Salem Journal. The bank spent $300 million to build redundant data systems to prevent a similar outage, CEO Kelly King said, according to American Banker.
Tuesday's proposal will be open for public comment for 90 days.