Financial R&R: Banking Regulators Adopt Rule Requiring 36 Hour Notification of Cyber Incidents

Intro (00:01):
Welcome to Financial R&R, a show dedicated to financial insurance and risk management solutions and trends shaping the market today. Here are your hosts, Ron Borys and Ryan Farnsworth.

Ron Borys (00:13):
Well, hi, everyone and welcome to the latest installment of the Financial R&R. I'm Ron Borys with Alliant Financial Institutions. I’m here with Ryan Farnsworth, and our guest today is a guest who's been on before, David Finz from our Legal and Claims Group, who is an attorney who focuses and specializes on cyber claims and cyber policy wording. David, thank you for joining us today.

David Finz (00:37):
Pleasure to be here.

Ron Borys (00:38):
So, the reason we've asked David to join us is there's a new regulation that just came out, in the last two weeks or so, that has a pretty significant impact on banking industry or will once it goes into effect in the early part of next year. And we thought it would be a good idea to sort of pick David's brain, not only on what this would mean for banking clients, but also how people should be thinking about this change from a potential regulatory perspective, with regards to their insurance. David, it would be great to kick things off by explaining what this new rule is, and who is going to be impacted by it and what regulators it's going to apply to.

David Finz (01:10):
Sure. So, the three federal agencies charged with regulating banking entities, right? The Office of the Controller of the Currency, the Federal Reserve System, or many of us referred to the board, the Federal Reserve Board, and the FDIC, collectively issued a regulation that was back on November 23rd after opening this up for public comment over the past several months and what this regulation accomplishes are two objectives. One, is up until this point, begging an institution had been advised to notify their regulating agency as soon as practicable of an event that may affect their security of their networks and their data. Now, there's actually some timelines around that. So, banking institutions now have to notify the respective regulator of an incident within 36 hours of its discovery. And the question is what is defined as an incident being serious enough called a notification incident, and those fall into three categories, right?
One may have to do with their ability to carry out their banking activities. One is with respect to weigh loss of revenue. And the third is anything that would pose a threat to the stability of the U.S. financial system, obviously aligned with all of this is any breach of customer data deposit or borrower data would qualify as a notification incident. The second thing that this does is it requires banking, service providers, those firms that are providing it services to the banking industry to notify their customers of any incident which has resulted or that they anticipate resulting in an outage to their networks exceeding four hours, because then those banking customers will be able to make an assessment of whether the incident is going to have a significant enough impact on their own operations to notify their regulators.

Ron Borys (03:16):
I mean, listen, David, I don't know your opinion on 36 hours. Doesn't seem like a long amount of time here, right? I mean, obviously you walk in one day, you see that somebody's penetrated or breached your system. They've now taken control over your network. They're making all sorts of demands. Obviously, there's a lot going on as you know from working through those types of situations with clients. I mean, what's the thought process behind the timeframe? I mean, is there any sort of log you fill in or?

David Finz (03:40):
I think there's two reasons for that, right. One, I mean, to your point, there's a state of attacks that tend to happen over weekends, particularly holiday weekends, 36 hours is not a lot of time when these things often happen after regular business hours. But I think the concern here is the cascading effect because many financial institutions rely on the same pool of service providers for their operations, with respect to any kind of outsourced IT services. And so, if there is something that is being perpetrated upon one institution that could have an effect because it's a result of them using the same managed service provider, the sooner that regulators get out in front of that, the sooner they can give guidance to other institutions as to how to manage the event. I mean, we've seen this play out with respect to SolarWinds and CAIA where a security breach at one service provider could have a cascading effect on dozens, if not hundreds of entities.

Ryan Farnsworth (04:39):
David, that’s a lot of change that's going to need to occur potentially with some of our banking clients and their service providers in terms of how they handle these incidents. How long until this rule goes into effect, when is that going to happen and what should clients be thinking about now?

David Finz (04:56):
So, the effect of date of the rule is April 1, 2022. Although the regulation also says it has a compliance date of May 1. So that implies to me that for the first 30 days, there won't be any type of enforcement action taken by the regulators during that grace period. But it's expected at that point that each banking institution is going to have procedures in place to identify when a security breach has occurred and to be able to assess whether it qualifies for notification under this final rule and has a reporting system set up within their organization. So, they know who is responsible for communicating notification to their respective regulators.

Ron Borys (05:39):
So, David, as our bank clients are looking at this regulation and trying to understand what their new obligations are under the rules, we all know the next question's going to be, what does this mean for insurance? Right? There could very well likely be some additional costs associated with having to provide notification to another party. My sense is that if people are not compliant with the timeline here, there could potentially be punitive actions such as fines or penalties imposed by a regulatory agency against a bank, and we know in many cases, cyber policies do provide coverage for will find in penalties since a certain type of events. So, what does this mean from your view? How should clients be looking at this from an insurance perspective?

David Finz (06:24):
So, taking the two prongs of this regulation separately and I think you just touched on the first one, the costs of responding to a regulatory proceeding are often covered by a cyber insurance policy. The extent to which that policy can also pick up the cost of fines and penalties. And it's not clear from my reading of this regulation, that there's necessarily a monetary sanction attached to noncompliance, but if there is one, then those are often stated to be insurable to the extent permitted by law. And so, it would depend upon the respective jurisdictions in which that banking institution operates and what choice of law the policy allows for the insured, for us to be able to determine whether those fines or penalties are insurable. One thing to keep in mind is even if the bank is operating in a state where fines and are insurable, if those fines and penalties are being assessed for what the regulator deems to be deliberate misconduct, then those penalties might be excluded from coverage on a separate basis.

Not because they're a regulatory fine, but because they're punitive in nature. So, it really is a two-part test. Now, the second aspect of this regulation, which has to do with the banking service providers is something else that the banks should be attuned to. And that is because a dependent business interruption or contingent business interruption could cause an outage on their network in the sense that there's a loss of income or extra expense incurred by the bank in order to stay operational during their service provider's outage. So, if that service provider is so critical to the bank's operations, that an outage at the service provider affects their ability to do business, that itself may be an insurable event.

Ryan Farnsworth (08:16):
David, one more question that's on my mind is, and we’ll probably let you go, and we'll have to check back in on this in April and May and see how things are progressing and whether there’s advice we can share. But what kind of impact do you think this will have on the underwriting community? You know, what are the insurers going to be looking at? How does this rule change their thought process and how our clients can differentiate their risk in the marketing and underwriting process?

David Finz (08:39):
I think there's two things that we can expect to happen this spring. One is that for our financial institution, clients, underwriters are probably going to be asking about what protocols the bank has in place to handle the notification process, right? Who's responsible for giving notice to the regulator? How will they determine the process that they're looking for to see whether a notification incident has occurred? How do they intend to communicate that notice, particularly if it's outside of normal business hours? And the second thing that I think underwriters will be honing in on is something that we've already been paying attention to, which is this question of vendor management. I think it's very important for financial institutions to be asking the right questions of their service providers in terms of what redundancy they have built into their networks, what their business continuity plans are in the event of an outage and what they're doing to comply with their requirements under this new rule.

Ron Borys (09:33):
Yeah, like I said, so always nice to be out in front of these things and be able to put you as a subject matter expert on these types of podcasts and be able to share your thoughts and views. I mean, we always are looking for and committed to helping our clients find that that more rewarding way to manage risk. You are certainly a big part of that, David, and I look forward to hearing more. I'm sure there will be more public. It looks like law firms are writing about this by the day. It seems like new information is coming out, but we thought it would be great just to get you out there, share your thoughts and views on it. And, obviously, for those of you out there who have any questions, David can be a great resource to you. Feel free to reach out to us. You can find more information on Alliant and our Financial Institutions team at www.Alliant.com. But again, David, thanks for taking some time here to share your thoughts, always appreciated and we look forward to talking to you again soon.