How to Know if Your Bank Must Report a By Alyssa Pugh, GRC Content Manager, CoNetrix Since the effective date for the incident notification rule for banks, we have received several questions asking about whether an incident would be classified as a “notification incident” or not. For example: • Would a one-hour core system outage be considered a “notification incident?” • Would a bomb threat/robbery be considered a “notification incident?” • Would a third-party breach from 10 years ago be considered a “notification incident?” • Would an incident affecting 10% of our customers be considered a “notification incident?” • Would malware be considered a “notification incident?” Each of these is a very valid question. If you work for a bank, how exactly would you determine which of these incidents must be reported to your federal regulator, per the legal definition? Let’s take a look. The Legal Definition To determine if an incident must be reported to a federal regulator, an incident must meet two qualifiers: 1. It must be a “computersecurity incident.” This is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” 2. It must be a “notification incident.” This is “a computersecurity incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade” a bank’s operations, including those which would: a) “Disrupt or degrade” the bank’s ability to “carry out banking operations Cybersecurity Incident [or deliver] products and services to a material portion of its customer base.” b) “Result in a material loss of revenue, profit, or franchise value.” c) “Pose a threat to the financial stability of the United States.” (For the full definition, see the final rule: https://www.federalregister.gov/d/202125510/p-331.) The word “material” shows up four times in this definition. While there is no exact definition of the term, context clues and the word’s use in other legal contexts tell us that we are dealing with something serious or extreme. This is evidenced by the terminology used in the examples provided by the agencies, including words like largescale, extended, widespread, failed, unrecoverable, etc. These terms communicate an idea that the types of incidents considered “notification incidents” are very serious and possibly even systemic in nature. What Does This Mean? It is not as simple as “these incidents are notification incidents, and those incidents are not.” This decision will need to be made on an incident-byincident basis. Consider some of these examples: • An incident that affects 10% of the bank’s customers. Does “10%” meet the definition of “material” for you? What exactly is affecting them? How serious is it? How soon will it be resolved? Which 10% of your customers are affected? Is it a random 10%? Is it your top 10%? • An incident that causes a one-hour core system outage. Does this meet www.coloradobankers.org 16
RkJQdWJsaXNoZXIy ODQxMjUw