Bank Groups Object to Proposed Breach Notification RegulationABA, Others Call Requirements Too Burdensome
The American Bankers Association and three other groups have voiced objections to provisions in a cyber incident notification regulation for banks proposed by three federal agencies. For example, they say that the definition of a reportable "computer security incident" is too broad and would result in the reporting of insignificant events.
The proposed regulation, the Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, was posted to the Federal Register on Jan. 12, and the deadline for comments was Wednesday.
The proposed regulation would require banks to provide their primary federal regulator with prompt notification of any computer security incident that materially disrupts, degrades or impairs certain important business operations.
Under the rule, bank service providers would be required to notify banks of incidents. A bank service provider is defined as a party retained by a bank to provide, or to assist in providing, extra services, such as online banking or loans.
The HIPAA Breach Notification Rule imposes requirements for healthcare organizations and their business associates, but there is no federal law requiring breach notification in all sectors. States have their own breach notification requirements.
In a letter written Monday to the Treasury Department's Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corp. - the agencies that proposed the regulation - the banking organizations supported many of the overarching aspects of the federal proposal, including reporting major cyber incidents.
"Our members recognize the importance of timely detection of significant cybersecurity threats, and fully support the [federal] agencies' goal of ensuring timely awareness of these threats in order to promote the safety and soundness of the U.S. financial system," the financial groups wrote in the letter.
But they raised concerns about a number of issues, including the requirement to report incidents within 36 hours of discovery.
In addition to the American Bankers Association, the letter's drafters included the Bank Policy Institute, the Securities Industry and Financial Markets Association and the Institute of International Bankers.
Fed Chair's Comments
The groups sent their letter to the federal agencies the day after Jerome Powell, chairman of the Federal Reserve Board, said on CBS' "60 Minutes" that cyber risk is his primary concern.
"The world evolves. And the risks change as well. And I would say that the risk that we keep our eyes on the most now is cyber risk. So you would worry about a cyber event," Powell said.
He said his primary concern is that a cyber event could bring all or part of the financial system to a halt.
A Burdensome Regulation?
The four banking groups contend that compliance with the new regulation would prove too burdensome for financial institutions.
"We share the goal to develop a flexible incident notification framework offering early awareness of disruptions, while also being appropriately scoped to avoid over-reporting and unnecessary burden for the banking industry, third-party service providers and the supervisory community," the groups wrote.
The proposed regulation bases its definition of a reportable computer security incident on the National Institute of Standards and Technology's definition.
The NIST definition is: "An occurrence that results in actual or potential jeopardy to the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies."
The four financial groups wrote that the NIST definition is too broad, and if it's included in a breach notification requirement, it would result in insignificant occurrences becoming reportable incidents.
"While we support the policy goals of the proposed rule, we believe that, as currently drafted, the proposed rule calls for notification of incidents well below the intended threshold of critical cybersecurity incidents. As a result, the proposed rule would lead to significant and burdensome over-reporting to the agencies, contrary to its stated intention," the banking groups wrote.
The financial groups suggested notification should be required only for those incidents that result in "actual harm" or that a banking organization determines in good faith are “reasonably likely” to cause significant harm. They said the notification requirement should be limited to information systems that handle or deliver banking operations, activities or processes during the normal course of business.
The 36-Hour Rule
Under the proposed regulation, "a banking organization would be required to notify its primary federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred."
The federal agencies hedge this time frame somewhat by noting that the 36-hour clock would not start until the affected organization determines it has been victimized by some type of cyber incident.
The four banking groups said reporting to regulatory authorities within 36 hours would not be achievable unless the definition of a reportable incident is narrowed.
"The requirement should be limited to those information systems that may give rise to an incident of the type the agencies are concerned about, that is, those that carry out banking operations, activities or processes, or deliver banking products or services in the ordinary course of business," the banking groups suggested.
The federal agencies will review all comments received before drafting a final proposal and will then solicit further comments.