The last few months have seen a flurry of new federal cybersecurity incident reporting requirements and proposals impacting private entities in the financial sector. As the number and frequency of cyber attacks continue to grow, regulators have attempted to enhance cybersecurity protections via increased and more rigid incident reporting obligations, leading to a constantly shifting regulatory patchwork of varying disclosure and timing obligations. These tightened reporting obligations raise new challenges for financial institutions who must not only ensure that their own programs are aligned with the new requirements, but also be certain to pass along reporting obligations to service providers.
The abrupt shift in reporting obligations comes after an extended period of time when most financial institutions faced consistent reporting obligations. In 2005, the federal prudential regulators—including the Board of Governors of the Federal Reserve System (Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Rather than specifying the number of hours or days within which a financial institution must report, the guidance allowed covered financial institutions to notify their primary federal regulator and affected customers “as soon as possible” after the discovery of incidents involving unauthorized access to or use of sensitive customer information.
Contrast this with the final rule issued by the Federal Reserve, FDIC, and OCC last November, which requires covered banking organizations to report within 36 hours after determining the occurrence of certain significant computer-security incidents. The final rule also requires bank service providers to notify their banking organization customers as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is likely to materially disrupt or degrade covered services for four or more hours.
Additionally, on March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, previously covered here, which requires entities in a critical infrastructure sector (which can include financial institutions) to report to the Cybersecurity and Infrastructure Security Agency (CISA) certain cyber incidents within 72 hours and ransomware payments within 24 hours of the payment. The Securities and Exchange Commission (SEC) recently published several proposed rules that would require various regulated entities to disclose certain cybersecurity-related incidents. The Federal Trade Commission (FTC) also tossed its hat into the ring and issued a proposal last December to require covered financial institutions to notify the FTC within 30 days after discovering a data breach affecting or reasonably likely to affect at least 1,000 consumers.
Below is a summary of the new reporting obligations proposed or soon to be effective for financial institutions:
|Law/Proposal||Who Reports||To Whom||Reporting Timeline||Status/Effective Date|
|Final Rule, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers||Banking organizations regulated by the Federal Reserve, FDIC, or OCC
|Federal Reserve, FDIC, or OCC, depending on which agency is the banking organization’s primary federal regulator||Report as soon as possible, but no later than 36 hours after determining a “notification incident” has occurred. A “notification incident” is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
|Effective date: April 1, 2022.
Compliance date: May 1, 2022.
On March 29, 2022, the Federal Reserve, FDIC, and OCC issued further guidance on the reporting requirements.
|Bank service providers||The affected banking organization||Bank service providers must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services for four or more hours. If a banking organization customer has not previously provided a bank-designated point of contact, the bank service provider must notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.
|Cyber Incident Reporting for Critical Infrastructure Act of 2022||Entities in a critical infrastructure sector (including those in the financial services sector, such as certain depository institutions, insurance companies, and financial services companies). The types of entities that constitute covered entities are to be further described in the forthcoming rulemaking process.
|CISA||Report a “covered cyber incident” not later than 72 hours after the covered entity reasonably believes that such an incident has occurred. A “covered cyber incident” means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria to be set by the CISA Director in the forthcoming rulemaking process.
Report a ransomware payment not later than 24 hours after the payment.
|Enacted March 15, 2022. The new reporting obligations will not take effect until the CISA Director promulgates implementing regulations.|
|Proposed Rule, Standards for Safeguarding Customer Information||Financial institutions subject to the FTC’s jurisdiction. This includes mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the SEC, and entities acting as finders.
|FTC||Notify as soon as possible and no later than 30 days after the discovery of any security event where the financial institution has determined misuse of customer information has occurred or is reasonably likely and at least 1,000 consumers have been affected or reasonably may be affected.||Comment period closed February 7, 2022.|
|Proposed Rule, Amendments to Form PF To Require Current Reporting and Amend Reporting Requirements for Large Private Equity Advisers and Large Liquidity Fund Advisers||Large hedge fund advisers
|SEC||File a current report via Form PF when a hedge fund that the adviser advises, with a net asset value of at least $500 million, experiences certain stress events. Such reporting events include when the adviser or reporting fund experiences a “significant disruption or degradation” of the reporting fund’s “key operations,” which could include cybersecurity events. File such current report within one (1) business day of the occurrence of such an event.
|Comment period closed March 21, 2022.|
|Proposed Rule, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies||Investment advisers registered or required to be registered under 15 U.S.C. § 80b-3||SEC||Report the significant cybersecurity incident affecting the adviser or its fund or private fund clients promptly, but in no event more than 48 hours after having a reasonable basis to conclude that any such incident has occurred or is occurring, by filing Form ADV-C electronically on the Investment Adviser Registration Depository.
Amend any previously filed Form ADV-C promptly, but in no event more than 48 hours after: (i) previously reported information pertaining to a significant cybersecurity incident becomes materially inaccurate; (ii) new material information pertaining to a previously reported significant cybersecurity incident is discovered; or (iii) the incident is resolved or related internal investigation is closed.
Publicly disclose in their brochures and registration statements cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years.
See further discussion of the proposal here.
|Comment period closed April 11, 2022.|
|Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure||Public companies subject to the reporting requirements of the Securities Exchange Act of 1934 (which include public financial institutions)||SEC||Report via Form 8-K material cybersecurity incidents within four (4) business days after the registrant determines that it has experienced a material cybersecurity incident.
Provide updated disclosures via the registrant’s quarterly report (Form 10-Q) or annual report (Form 10-K) relating to previously disclosed cybersecurity incidents. Disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate.
For foreign private issuers, disclose material cybersecurity incidents via Form 6-K and Form 20-F.
See further discussion of the proposal here.
|Comment period closes May 9, 2022.
Managing and meeting these new deadlines—and keeping track of the different content and submission requirements associated with each disclosure—can be challenging. Additionally, these requirements may trickle down even to companies not directly regulated by the above agencies, as many financial institutions may consider new default rules, such as requiring 24-36 hour reporting across the board for their service providers. As the cybersecurity regulatory landscape continues to evolve, companies should review their third-party service provider arrangements and incident response plans and stay on top of legislative and regulatory developments to ensure they are in a good position to meet increased expectations and accelerated reporting timelines.