Reporting Computer-Security Incidents: Is your Community Bank ready?

Mar 21, 2022

It's not a secret that banks have a significant amount of personal information, and many people want that information for malicious purposes. As cybersecurity and computer-related crimes continue to increase, the Federal banking regulators have taken notice and are now requiring additional reporting. The regulators want to be made aware of these incidents to best help the affected banking organization, become familiar with patterns of computer-related crime, and inform other banks of threats they see throughout the banking system.

In November, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC), issued Financial Institution Letter (FIL)-74-2021. Effective April 1, 2022, with a compliance date of May 1, 2022, once a notification incident has occurred, banking organizations are required to notify their primary Federal regulator as soon as possible and no later than 36 hours of the incident. The FIL states the Federal regulators will have an appropriate agency-designated point of contact through email, telephone, or other similar methods that the agency may prescribe. A bank service provider is to notify a bank-designated contact at each of its customer banking organizations as soon as possible once the bank service provider determines it has experienced a computer-security incident.

The rule defines a computer-security incident as an occurrence that:

Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or
Constitutes a violation or imminent threat of violating security policies, security procedures, or acceptable use policies.

The rule further defines a notification incident as a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair—

The ability of the banking organization to carry out banking operations, activities, processes, or deliver banking products or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business.
Any business line of a banking organization—including associated operations, services, functions, and support—and would result in a material loss of revenue, profit, or franchise value; or
Those operations of a banking organization, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The rules provide a non-exhaustive list of example incidents generally considered "notification incidents."

Large-scale distributed denial of service attacks that disrupt customer account access for an extended period (e.g., more than 4 hours);
A bank service provider that a banking organization uses for its core banking platform to operate business applications is experiencing widespread system outages, and recovery time is undeterminable;
A failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
An unrecoverable system failure that results in activation of a banking organization's business continuity or disaster recovery plan;
A computer hacking incident that disables banking operations for an extended period of time;
Malware on a banking organization's network that poses an imminent threat to the banking organization's core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization's core business lines or critical operations from internet-based network connections; and
A ransom malware attack that encrypts a core banking system or backup data.

What does this mean for your banking organization?

First, if not already established, ensure that you have one point person responsible for receiving any notification of incidents in your agreement with your core service provider. This should be reviewed and updated annually as you conduct vendor management reviews.

Second, update policies and procedures to define, according to the FIL rule, what a notification incident is and the process for communicating that incident to your federal regulators. As turnover takes place with agencies, ensure you have the most recent contact documented in policy/procedures or wherever you maintain contact information for your federal regulator.

Third, consider conducting a tabletop exercise annually. This could be done as part of your business continuity plan process walkthrough, ensuring the key members of management know how to communicate incidents under this rule accordingly.

Finally, contact CRI. We have a broad knowledge of banking regulations and cyber security. We can help you draft the proper policy and procedures to follow and assist in communicating with your regulator when an incident requiring notification occurs. We have assisted clients who have been victims of computer-security crimes and can help you and your banking organization in its time of need.

Reporting Computer-Security Incidents: Is your Community Bank ready?

Mar 21, 2022

What does this mean for your banking organization?

Relevant insights

Harvesting Value: The Role of Bonus Depreciation in Enhancing Agricultural Investments

BSA/AML Model Validation: Understanding Expectations and Balancing Reality

At Long Last, GASB Approves Financial Reporting Model Improvements

To Lobby or Not to Lobby: Understanding Your Association’s Rights

Taxable Advertising or Nontaxable Sponsorship?

After the Standards: A Guide to Everything Else in a GASB...

Enhance Your Technology Tool Kit for Improved Productivity

Essential Governance Policies for Effective Associations

Avoid the Shock of a Surprise Tax Bill

It Figures Podcast: S5:E1 – CECL Lessons Learned and Opportunities Ahead

What Is an Internal Audit and Can It Benefit Your Organization?

Don’t Jeopardize Your S Corporation Status

The Critical Role of SOC Reports in Nonprofit Operations

GASB Pronouncement Effective Dates: Post-GASB 95 Revisions

Treasury Urges Congress to Settle 831(b) Captives Issue

Federal Deposit Insurance Corporation Improvement Act (FDICIA) Requirements

Understanding the New Employee vs. Independent Contractor Classifications

Global Internal Audit Standards Resource

Inheritance Unplanned: The Unexpected Impact of Taxes on Families

How Should School Districts Report Charter Schools?

Resource: Identifying and Reporting Charter Schools as Component Units

Are Charter Schools Component Units?

IRS Continues Pursuit of 831(b) Micro-captives in Tax Court Wins

Governmental Accounting & Auditing Omnibus

The Importance of Diversifying Your Customer Base

Discovering Your Business’ Value

Are Your Social Security Benefits Subject to IRS Taxation?

From Red Carpets to Tax Returns: The Versatile Roles of Accounting...

Pooled Income Funds Benefit Both Donor and Charity

Understanding the Implications of the House Committee’s Tax-Exempt Review

Introduction to the Global Internal Audit Standards

How Have Fraud Risks Changed?

5 Things to Remember About Substantiating Charitable Donations

Stay Vigilant to Reduce the Risk of Occupational Fraud

Crafting an Effective Nonprofit Document Retention Strategy

Ensuring Financial Integrity in Church Operations

Nine Questions About GASB Statement 102 on Risk Disclosures

State Tax Considerations for Insurance Companies

How to Be Prepared With a Business Continuity Plan

Real-Time Results: How Dashboards Can Help You Move Your Small Business...

Demystifying Deferrals: Illuminating the Intricacies of State and Local Government Accounting...

Key Discount Factors for 2023 Unpaid Losses in Insurance Companies

Fundamentals of Business Valuation: The Income Approach

Fundamentals of Business Valuation: The Market Approach

Optimizing Tax Benefits in Multi-Family Properties with Cost Segregation

Fundamentals of Business Valuation: The Asset Approach

2024 Cost of Living Adjustments Resource

IRS Issues Standard Mileage Rates for 2024

Loan Modifications Quick Reference Guide

Beneficial Ownership Reporting FAQs

New Beneficial Ownership Reporting Rules for Small Business

More Tips for Translating GASB Standards into English

Recent IRS Update: Postponement of Form 1099-K Reporting Threshold

Don’t Get Ready for Fiscal Year-End. Stay Ready.

Why Should You Consider a Sample Credit Card Agreement?

Key Insights for Employers on the Employee Retention Credit

Adapting to the IRS’s Electronic Filing Requirements

Help Your Business Finish Strong with These 10 Year-End Tasks

Faithful Finances: Crafting Credit Card Policies for Religious Organizations

Understanding the Hospitality Industry Audit Process

Unlocking the Value of Your Business, Part II: Post-Sale Considerations

Unlocking the Value of Your Business, Part I: Pre-Sale Considerations

5 Savvy Black Friday Shopping Tips to Put In Your Bag

EV Tax Credit Eligibility Flow Chart

Energy Tax Credits Table

QBI Deduction Flow Chart

Tax Implications of Debt and Equity Financing

Ensuring Franchise Success through CPA Expertise

Tax Alert: IRS Releases 2024 Inflation Adjustment

Financial Institutions – Year-End Accounting and Risk Management Update

How Does Industry Affect Fraud Risk?

You, Too, Can Set Accounting Standards

Networking for a Cause: Utilizing LinkedIn for Nonprofit Success

Cost-Effective Fraud Protection

AR-C Section 70: When It’s Relevant and How to Apply It

The Role of Maquiladoras in Mexico and Global Manufacturing

Discovering Your Business’ Value  