Cyber Risk Reporting for Community Banks

By the very nature of finance, community banks hold a considerable amount of personal information. Such a vast amount of data and its sensitivity is a goldmine in the hands of a cybercriminal, making cyber risk reporting for community banks all the more critical.

In 2021, there were a record number of identity theft and fraud cases, representing a 7% increase over 2020.  As cybercrime has been growing steadily since 2017, federal banking legislators require additional reporting for banks to protect consumers.

While additional reporting is beneficial, it poses challenges for community banks. With that in mind, we’re providing an overview of how the federal government defines a computer security incident, reviewing the new rules and offering some best practices for cyber risk reporting rules within the banking industry.

What Are the New Cyber Risk Reporting Rules for Community Banks?

In November of 2021, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System issued Financial Institution Letter (FIL) -74-2021. The notice states that as of April 1, 2022, all banks must notify their primary federal regulator once alerted to a banking cyber risk incident. Banks must notify their federal regulators as soon as possible, but no longer than 36 hours after the incident occurred. Banks must comply with this mandate by May 1, 2022.

The new cyber risk reporting regulations, according to the FIL, mean banks will have a designated point of contact with whom they can communicate via telephone, email or another method indicated by the regulator.

Bank service providers must notify their contacts at the affected banks as soon as possible when they have determined a computer-security incident has victimized them.

What Defines a Computer Security Incident?

It better understand cyber risk reporting, it is helpful for community banks to understand how the federal government defines a computer security incident, as it clarifies exactly what banks need to communicate.

The following list details the parameters of a computer security incident:

• An incident that results in potential or actual harm pertaining to the confidentiality, availability or integrity of an information system or data that the system stores, transmits or processes; or an incident that is an imminent threat or violation of security policies, acceptable use policies, or security procedures
• A computer-security incident that the bank believes could materially degrade, disrupt or impair the bank’s ability to carry out banking activities, operations, processes; or deliver banking processes or products and services to the bulk of its customers during ordinary banking operations
• Any of the bank’s business lines including operations, functions, services, or support that would cause a tangible loss of profit, revenue or franchise value; or the failure or discontinuance of functions, services or support that would cause a potential threat to the economic stability of the United States

Furthermore, the federal government lists other types of incidents they consider to be necessary for rigorous cyber risk reporting. This list is not exhaustive, meaning community banks and other financial organizations must use their best judgment to decide what is necessary to report. These additional cyber risk incidents include:

• Denial of service attacks of a large scale that disrupt access to customer accounts for a lengthy period of around four hours or more
• A core banking platform provided by a bank service provider that the bank uses to operate business operations that has a widespread outage, and there is no designated recovery time
• A system change or upgrade that fails or causes extensive outages for banking customers and bank employees
• A system failure that cannot be recovered and causes a bank to resort to its business continuity plan or disaster recovery plan
• A computer system hacking incident that incapacitates the bank’s operations for a lengthy period of time
• A malware incident on the bank’s computer network that is considered an imminent threat to the bank’s core business lines or other critical operations that also results in the bank having to disable products or information systems that were compromised during an attack where they support the bank’s core critical operations or lines of business
• A malware incident that encrypts backup data or a core banking system

Best Practices for Cyber Risk Reporting for Community Banks

While the federal government outlines the definition of a cybersecurity incident and the rules for reporting requirements, community banks are on their own to establish policies and procedures to comply with the new reporting requirements.

To that end, we’ve developed some best practices for cyber risk reporting as a starting point for community banks.

1. If you haven’t done so, designate a single point person responsible for receiving notifications of cybersecurity incidents as stated in your agreement with your core internet platform service provider. Your board should review your agreement every year and update it as necessary.
2. Review your policies and procedures and update them to comply with the new FIL rule. Be sure they match the federal regulations for what constitutes a notification incident and update the process for contacting the federal regulators. Designate someone to check regularly to ensure they have the most recent contact in case of a turnover at a federal agency, which often happens.
3. Run a tabletop exercise yearly as part of your business continuity plan process. Walk through how your bank will communicate incidents to the federal government so you can be sure your bank complies with the new rule.

Moving Forward With Cyber Risk Reporting for Community Banks

As community banks lack the level of capital and staffing compared to larger banks, the 36-hour reporting timeframe can prove to be challenging. The new cyber risk reporting requirements are in addition to community banks’ other risk management practices.

Community banks must submit regular reports and create new cyber risk reports while dealing with the cyber security incident itself is bound to tax IT staff and other resources. As community banks generally use a service provider for their core platforms, community bank executives will also have to discuss with their providers to ensure all parties abide by the new cyber risk reporting rules.