What Steps U.S. Banks Should Do to Ensure They Can Address the FDIC’s New Breach Notification Requirements

Starting May 1, U.S. banks will be required to notify their primary federal regulator of a computer-security incident within 36 hours. The joint ruling, issued in November by the Federal Deposit Insurance Corp. (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve, requires financial institutions to to notify their primary regulator as soon as possible and no later than 36 hours after the firm determines that “a computer-security incident that rises to the level of a notification incident has occurred.”

While this is technically a new requirement, most U.S. banks likely already have incident reporting requirements through other regulations like the New York Department of Financial Services (NYDFS) cybersecurity regulation. The NYDFS regulation and other similar regulations require notification within 72 hours. Although the reporting time of within 36 hours is a smaller window than most have grown accustomed to, the FDIC has referenced the simplicity of the notification process as it has “set forth no specific content or format” as well as starting the 36-hour notification clock after you have determined you have an actual, rather than potential, security incident.

The more challenging piece may be tied to how the FDIC has defined a notification incident. The FDIC has made it clear the notification criteria is broader than just malicious incidents and inclusive of availability incidents such as a failed system upgrade resulting in widespread user outages. This will require an adjustment on how U.S. banks think about the typical types of incidents requiring notification.  

This rule also applies to banking service providers as well. Banking service providers have an obligation to notify each affected banking organization in the event of a computer-security incident causing a material disruption or service degradation for four or more hours. There is an additional consideration for U.S banks who are notified by a banking service provider in this scenario. Each impacted banking organization must independently determine if the banking service provider notification has caused a computer-security incident in their own organization requiring a notification. If so, it must be reported separately to the FDIC as the reporting obligation is not covered by the banking service provider’s notification.

In order for banks to be in full compliance with the rule on May 1st, they must be prepared to provide this notification within 36 hours of confirming an incident (meeting the required criteria) has occurred. To that end, banks should:

• Determine additional people and processes necessary (specifically those with operational responsibilities) to provide visibility and information to key stakeholders and those responsible for incident notification.
• Provide immediate and ongoing awareness and training to key business and technical stakeholders ensuring these roles understand the rule and the types of incidents that require FDIC notification.
• Update incident response plans accordingly to include actual notification procedures, ensuring to include the contact information of the appropriate FDIC supervisory office or designated point of contact.  FDIC notification scenarios should also be included in regular tabletop exercises. 
• Determine in advance the content to be shared in notifications to the FDIC. As the FDIC has left this open-ended with no specific template to follow, being prepared with what information to include will save time and add clarity during what is typically an already tense situation.

On the surface, the FDIC notification rule seems straightforward and the notification requirements appear to be low. It remains to be seen though how the FDIC will respond or use this information moving forward. This could certainly impact the level of effort associated with the ruling. Time will tell.