Skip to the main content.
Under Attack? Login
Under Attack? Login
Managed Extended Detection & Response
Layered cybersecurity controls for effective risk management and rapid response.

24/7/365 Monitoring & Alerting
Compromise Assessments
Threat Hunting
Vulnerability Management

Book MXDR Demo

Government Programs
Integrated technology, solutions, and services that support rapid innovation within the DoD ecosystem.

CMMC Preparation & Assessment
Cybersecurity Assurance Readiness (CSAR/RMF Pro)
ATO/RMF Support

Book GP Demo

Professional Services
Expertise in security strategy, incident response readiness, policy development, and risk assessments.

Risk Assessments
vCISO
Penetration Testing

Book ProServ Demo

Digital Forensics & Incident Response
Are You Under Attack?

If you are concerned about a potential threat or are experiencing a breach, contact our 24/7/365 emergency hotline at 888-860-0452.

CONTACT US

Resources

Subscribe-to-NetSec-News-v4Subscribe to NetSec News

Sign up to receive our biweekly newsletter that covers what's happening in cybersecurity including news, trends, and thought leadership.

SIGN UP

Company

Ingalls Information Security

At our core, Ingalls is a company that strives to be helpful to our clients while continuously innovating and evolving our technology and solutions. Since 2010, we have been dedicated to building a team and product that can stay steps ahead of threats, attacks, and vulnerabilities in an ever-changing landscape.

Meet The Leadership Team

3 min read

Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers

Picture of Stephen Gutleber Stephen Gutleber Apr 10, 2023 7:33:00 AM

Professional Services

April 1, 2023, marks one year since the effective date of the final rule issued by the OCC, Board of Governors of the Federal Reserve System, and FDIC, requiring a banking organization to:

“Notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”

 

While not the focus of this blog post, the final rule also requires bank service providers to notify affected customers as soon as possible if a “computer-security incident has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”

While notification requirements previously existed, the final rule was issued to set the 36-hour requirement in recognition that it is important that a “banking organization’s primary federal regulator be notified as soon as possible of a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.”

The final rule encourages timely notification to allow agencies to:

  1. Have early awareness of emerging threats to banking organizations and the broader financial system

  2. Better assess the threat a notification incident poses to a banking organization and take appropriate actions to address the threat,

  3. Facilitate and approve requests from banking organizations for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP)

  4. Provide information and guidance to banking organizations

  5. Conduct horizontal analyses to provide targeted guidance and adjust supervisory programs

 

What Is a Computer-Security Incident?

A “computer-security incident”  is an occurrence that actually imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

 

What Is a Notification Incident?

A “notification incident” is defined as a “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair:

  1. The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value
  3. Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States

 

Examples

The final rule includes a non-exhaustive list of incidents that are considered “notification incidents” under the final rule:

  1.   Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);

  2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;

  3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;

  4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;

  5. A computer hacking incident that disables banking operations for an extended period of time;

  6.   Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and

  7. A ransom malware attack that encrypts a core banking system or backup data.


“When in Doubt, Contact Your Regulator”

Computer-security incidents are to be evaluated on a case-by-case basis to determine if notification is needed. If there is doubt as to whether notification is required, the final rule encourages that you contact your regulator.


Compliance Check

Hopefully, your banking organization has not experienced a computer-security incident in the last year, but it is imperative to amend your organization’s incident response plan and response procedures to ensure compliance with the final rule.


Does your incident response include notification procedures that align with the final rule? 

If you’re not sure, you might need an expert to help identify gaps in your compliance. Ingalls’ expert team of cyber risk management consultants are here to help to evaluate your incident response procedure for compliance with the final rule, consult on any needed changes, and provide customized tabletop testing scenarios to ensure appropriate response should your organization fall victim to a “computer-security incident” requiring notification.
Subscribe to Network Security News