Tag Archive for: computersecurity

Computer-Security Incident Rule Creates New Notification Requirements for Banking Organizations and Bank Service Providers | Steptoe & Johnson PLLC

/in


On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule (the “Computer-Security Incident Rule” or the “Final Rule”) establishing computer-security notification requirements for banking organizations and their bank service providers. The Final Rule, which has an effective date of April 22, 2022, and mandatory compliance date of May 1, 2022, contains two major components.

 

First, a “banking organization” must notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization determines the notification incident has occurred. Second, a “bank service provider” must notify each affected banking organization customer as soon as possible of a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. The purpose of the Computer-Security Incident Rule’s notification requirements is to provide earlier awareness of emerging threats to banking organizations and the broader financial system.

 

The Final Rule defines a “computer-security incident” as an occurrence that, “(i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

 

A “computer-security incident” that would rise to the level of a “notification incident” triggering the Final Rule’s notification requirements includes, but is not limited to:

  • A ransomware or malware attack that encrypts a core banking system or backup data;
  • A large scale distributed denial of service attack that disrupts customer account access for an extended period of time;
  • A failed system upgrade or change that results in widespread user outages for customers and banking organization…

Source…

FIREWALL- AN SOLUTION FOR COMPUTER SECURITY | What is a Firewall? Defined, Explained, and Explored

/in



Rule requires banks report significant ‘computer-security incidents’ within 36 hours | Article

/in


The Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corp. (FDIC) approved the policy, which also requires service providers for financial institutions to notify affected bank customers of any service outage caused by a computer-security incident that lasts longer than four hours.

The rule is effective April 1, 2022, and compliance is required by May 1, 2022.

A computer-security incident is described in the rule as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” Such incidents can be caused by a variety of factors, including cyberattacks launched by hackers with “destructive malware or malicious software” as well as “non-malicious failure of hardware and software, personnel errors, and other causes.”

A “notification incident” is defined in the rule as a computer-security incident “that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations; result[s] in customers being unable to access their deposit and other accounts; or impact[s] the stability of the financial sector.”

The rule requires any bank services provider subject to the Bank Service Company Act (BSCA) to notify at least two individuals within the affected banking organization of a computer-security incident that it “believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.” The bank organization would then determine if the incident rises to the level of a notification incident and inform its regulators if that is the case.

“The notification requirement for bank service providers is important because banking organizations have become increasingly reliant on third parties to provide essential services,” the rule said. “… [A] banking organization needs to receive prompt notification of computer-security incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, these services because prompt notification will allow the banking…

Source…

Federal Banking Agencies Propose Computer-Security Incident Notification Requirements | Weiner Brodsky Kider PC

/in


The FDIC, Board of Governors of the Federal Reserve System, and OCC (the Agencies) recently issued a joint notice of proposed rulemaking that would require a banking organization to notify its primary federal regulator of any computer-security incident that the banking organization believes in good faith rises to the level of a notification incident.  Comments must be received by April 12, 2021.

The proposal would require a banking organization to notify its primary federal regulator as soon as possible and no later than 36 hours after determining that a notification incident has occurred.  The proposal explains that a computer-security incident includes occurrences that: (i) result in actual or potential harm to the confidentiality, integrity, or availability of an information system; or (ii) violate or immediately threaten to violate security policies, procedures, or acceptable use policies.  The proposal explains that a notification incident includes a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair various banking operations.

Additionally, the proposal would require a bank service provider that provides services described in the Bank Service Company Act to notify at least two individuals at affected banking organization customers immediately after a computer-security incident that it believes in good faith could disrupt, degrade, or impair services for four or more hours.  The Agencies explain that a bank service provider is not expected to determine if the computer-security incident rises to the level of a notification incident because it may not know if the service is critical to the banking organization’s operations.

The Agencies explain that the notification requirement is intended to serve as an early alert to the banking organization’s primary federal regulator.  No specific information is required in the notice, and it can be provided through any form of written or oral communication.

Source…