A milestone date for an ambitious federal banking industry cybersecurity regulation that debuted at the tail end of the Trump administration has nearly arrived.
Monday, April 12 marks the deadline for comments on an initial proposal that would mandate how a wide range of financial firms would need to report more kinds of cyber incidents to regulators within 36 hours. That’s a more stringent timeline that many comparable regulations; Europe’s General Data Protection Regulation notification window is twice as long, at 72 hours.
The relatively quick notification requirement generated most of the attention when the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Treasury’s Office of the Comptroller of the Currency announced the rule in December. It’s expected to receive significant blowback from the financial services industry as an overly aggressive demand.
Some analysts, though, cite the types of incident reports that need to be filed, and by whom, as the most remarkable elements of the proposed rule, rather than the 36-hour time window.
The “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” rule had been in the works for months before its rollout in December. But the rule touches on third-party vulnerabilities and incident response requirements, two issues fresh on the mind of policymakers after the SolarWinds campaign that was made public around the same time, wherein attackers exploited the software provider’s vulnerability to compromise nine federal agencies and major technology companies.
In March 2020, Finastra — a London-based bank software provider to most of the world’s biggest banks — revealed that it experienced a ransomware attack that forced it to disconnect some servers from the internet. Later, the Securities and Exchange Commission warned about a rise in the sophistication of ransomware attacks within the financial sector.
Among the proposed rule’s major provisions, then, is that bank service providers for the first time would have to provide notifications to banking organizations when they suffer damaging cyberattacks, defined in the rule as those which could “disrupt, degrade, or impair the provision of services.”
“One of the things that’s new about this and very important is the extent to which this reaches beyond the financial services industry into bank service providers,” said Arthur Nelson, associate director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
Bank service providers are defined under law as companies that provide “check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution.”
Another major provision of the regulation focuses on what triggers a notification. Under existing regulations, banks already are required to report breaches of customer data.
The new rule would go further, directing banks to notify their regulatory agencies about cyber incidents “that could result in a banking organization’s inability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector,” according to the agencies’ summary.
Examples include distributed denial-of-services attacks that hamper customer account access for more than four hours, or ransomware that encrypts a core banking system. The idea is to give agencies a chance to act when an attack causes big problems.
Most large industry groups are expected to file comments on the rule right at Monday’s deadline. So far, only a handful of small organizations and private individuals have provided any official responses that appear on regulations.gov. (Multiple major bank service providers didn’t answer requests for comment by press time Friday.)
The agencies are seeking feedback on questions such as what should define a “computer-security incident,” how extensively bank service providers must notify its customers during a disruptive attack and whether the 36-hour requirement is appropriate.
The headline-making 36-hour notification requirement is a significant element of the rule. Most state data breach notification laws require responses within measurements of days or months.
“I think it will be a very challenging rule, if it goes in play as it currently is situated, for organizations to comply with,” said David Kessler, head of data information and risk at Norton Rose Fulbright, a law firm that represents companies in the financial services industry. “The reality is that these tend to be very complicated events, particularly for financial institutions.”
But there’s some leeway within that quick timeframe.
“If you look into the actual language, it’s very wishy washy around, ‘When in 36 hours does the clock start?'” Nelson said. “They’ve made clear in the proposal that it doesn’t start when the incident happens or even when the firm first finds out about it.”
Still, industry could raise concerns about how the proposed rule harmonizes with international frameworks, as well as a separate track within Congress to advance incident notification legislation. International organziations also have examined how to harmonize incident reporting.
Although the rule debuted during the Trump administration, which touted its efforts to curtail federal regulation, few were surprised to see it make it across the finish line. There was little evidence that the regulation rose to the attention of the Trump White House as it proceeded through the apolitical bureaucratic rulemaking process.
“I don’t think that the Trump administration was touching this too much,” said Nelson.
There is no definitive timeframe for when the proposed rule might become final after the comment period ends.