What Steps U.S. Banks Should Do to Ensure They Can Address the FDIC’s New Breach Notification Requirements
Posted by: Gary Brickhouse
Starting May 1, U.S. banks will be required to notify their primary federal regulator of a computer-security incident within 36 hours. The joint ruling, issued in November by the Federal Deposit Insurance Corp. (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, requires financial institutions to to notify their primary regulator as soon as possible and no later than 36 hours after the firm determines that “a computer-security incident that rises to the level of a notification incident has occurred.”
While this is technically a new requirement, most U.S. banks likely already have incident reporting requirements through other regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. The NYDFS regulation and other similar regulations require notification within 72 hours. Although the reporting time of within 36 hours is a smaller window than most have grown accustomed to, the FDIC has referenced the simplicity of the notification process as it has “set forth no specific content or format” as well as starting the 36-hour notification clock after you have determined you have an actual, rather than potential, security incident.
The more challenging piece may be tied to how the FDIC has defined a notification incident. The FDIC has made it clear the notification criteria is broader than just malicious incidents and inclusive of availability incidents such as a failed system upgrade resulting in widespread user outages. This will require an adjustment on how U.S. banks think about the typical types of incidents requiring notification.
This rule also applies to banking service providers as well. Banking service providers have an obligation to notify each affected banking organization in the event of a computer-security incident causing a material disruption or service degradation for four or more hours. There is an additional consideration for U.S banks who are notified by a banking service provider in this scenario. Each impacted banking organization must independently determine if the banking service provider notification has caused a computer-security incident in their own organization requiring a notification. If so, it must be reported separately to the FDIC as the reporting obligation is not covered by the banking service provider’s notification.
In order for banks to be in full compliance with the rule on May 1st, they must be prepared to provide this notification within 36 hours of confirming an incident (meeting the required criteria) has occurred. To that end, banks should:
- Determine additional people and processes necessary (specifically those with operational responsibilities) to provide visibility and information to key stakeholders and those responsible for incident notification.
- Provide immediate and ongoing awareness and training to key business and technical stakeholders ensuring these roles understand the rule and the types of incidents that require FDIC notification.
- Update incident response plans accordingly to include actual notification procedures, ensuring to include the contact information of the appropriate FDIC supervisory office or designated point of contact. FDIC notification scenarios should also be included in regular tabletop exercises.
- Determine in advance the content to be shared in notifications to the FDIC. As the FDIC has left this open-ended with no specific template to follow, being prepared with what information to include will save time and add clarity during what is typically an already tense situation.
On the surface, the FDIC notification rule seems straightforward and the notification requirements appear to be low. It remains to be seen though how the FDIC will respond or use this information moving forward. This could certainly impact the level of effort associated with the ruling. Time will tell.
Gary Brickhouse
CISO,
GuidePoint Security
Gary Brickhouse, CISO and VP of GRC Services at GuidePoint Security, began his career in the security industry in 2001. Gary is GuidePoint’s internal CISO and is responsible for all aspects of the company’s information security program, inclusive of building and maintaining our internal security architecture and control practices. Gary also leads the GRC Services consulting practice where he is responsible for the development and delivery of GRC service offerings to support our clients. This unique position allows Gary greater visibility into customer needs from an industry services perspective and also as a practitioner, addressing the same risks for GuidePoint.
Previously, Gary was the Security and Compliance Architect for The Walt Disney Company, working on a large, multi-year business program where he served as the subject matter expert for compliance, data privacy, infrastructure and application security as well as securing emerging technologies like RFID. While at Disney, Gary also served several years as the Compliance Manager responsible for the oversight and execution of the parks and resorts’ compliance programs. Previous to working at Disney, Gary was an Information Security Specialist at Publix Super Markets, one of the nation’s largest retailers.
Gary is a frequent speaker at industry conferences and webinars, covering a wide array of information security topics. He earned a Bachelor of Science degree from Florida Southern College, holds the Certified Information Systems Security Professional (CISSP), and is an ITIL v3 expert.