Read the Joint Release Here

  • Source: federalreserve.gov

Treliant Takeaway:

Our professionals include but are not limited to former Chief Information Security Officers (CISO), Chief Compliance Officers (CCO), and Internal Auditors. We understand how to make cybersecurity programs work and to prepare firms for regulatory exams which may include how firms prepare for cyberattacks, especially with many individuals now working remotely.

Release Highlights:

The Board of Governors of the Federal Reserve System (“FRB”), Federal Deposit Insurance Corporation (“FDIC”) and the Office of the Comptroller of the Currency (“OCC”) released a joint Proposal for Computer Security Incident Notification (“Proposal”) On December 18, 2020.

The proposal is centered around supervised banking organizations and more broadly the financial sector, and includes notification requirements to their primary federal regulator in the event of a computer security incident.

Additionally, the proposal would require service providers to notify affected banking organizations immediately when the service provider experiences computer security incidents that materially disrupt, degrade, or impair certain services they provide.

Several industries (e.g. healthcare, financial, manufacturing) in the last few years have been severely hit by different forms of cyberattacks such as ransomware and most recently revealed the Solarwinds cyberattack that inserted a vulnerability (SUNBURST) within their Orion® Platform software which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.

Proposal Highlights:

  1. To provide the agencies with an early warning of significant computer security incidents and would require notification as soon as possible and no later than 36 hours after a banking organization determines that an incident has occurred.
  2. To require service providers to notify affected banking organizations immediately when the service provider experiences computer security incidents that materially disrupt, degrade, or impair certain services they provide.
  3. Upon occurrence of a notification incident, the affected banking organization may incur up to three hours of staff time to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organization’s primary federal regulator. This may include discussion of the incident among staff of the banking organization, such as the Chief Information Officer, Chief Information Security Officer, a senior legal or compliance officer, and staff of a bank service provider, as appropriate, and liaison with senior management of the banking organization
  4. The proposed rule would require a bank service provider of a service described under the Bank Service Company Act (BSCA) to notify at least two individuals at affected banking organization customers immediately after experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.

Comments on the proposal must be received within 90 days of its publication in the Federal Register – on or before March 18, 2021.

CISOs and their teams need to be ready to respond in the event their firms and/or customers become victims of a cyberattack. If this occurs, there are regulatory requirements to report within certain timeframes.

The New York State Department of Financial Services (“NYSDFS”) 23 CRR-NY 500.17 Notices to superintendent, part (a) requires that Each covered entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred.

With the FRB proposal of 36-hour notification, there will need to be some synchronization of the regulatory notification requirement for organizations that are regulated by both the FRB and NYSDFS.

The FBI has also encouraged firms to notify them of such cyberattacks. Firms will need to demonstrate compliance and be ready for a thorough look at the underlying processes by the regulators.

Author

Richard Hudson

Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…