Data Breach: Implementing New Vendor Management Communication Protocol

As technology becomes even more prevalent in the financial services industry, cyber-security incidents and data breaches are bound to occur.

Consequently, regulators are doing their part to protect consumers from having their personal information compromised.

Most recently, an event occurred with an insurance tracker where borrower personal information was compromised due to a phishing scheme. 

We are not privy to how the breach was handled, but earlier this year, regulators required compliance with guidelines for notifying lenders’ IT personnel that their systems have been compromised.  

If properly designed, this could enable a near real-time response.

In November 2021, the Joint Agencies released the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers final rule.

Before we jump into what the Rule requires of lenders and their service providers, it is important to define two terms: “Computer-Security Incident” and “Notification Incident”.

“Computer-Security Incident”

The Joint Agencies proposed rule adopted the definition of ‘computer-security incident’ as defined by the National Institute of Science and Technology:

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

However, after further discussion, the Joint Agencies felt as if this definition did not fully align with the purpose of the Rule.

The definition provided in the final rule reads as follows:

An occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

“Notification Incident”

A computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s —

1. Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
   
   
2. Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
   
   
3. Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The Rule requires banking organizations to notify their Federal regulator of any notification incident within 36 hours of determining that a notification incident has occurred.

Examples of notification incidents include, but are not limited to:

• Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours);
• A bank service provider that is experiencing system outages with unknown recovery time;
• A failed system upgrade or change that results in widespread user outages;
• An unrecoverable system failure resulting in activation of the disaster recovery plan;
• A computer hacking incident that disables operations;
• Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines, or critical operations, or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections; and
• A ransomware attack that encrypts a core banking system or backup data.

Banking organizations should consult their designated point of contact (provided by their regulator) to determine the best method of notification (phone, email, etc.).

How Does the New Rule Affect Bankers?

The Rule now puts responsibility on bank service providers to notify a banking organization when the provider determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services for four or more hours.

Service providers must notify at least one bank-designated point of contact, through reasonable means, as soon as possible.

If a point of contact has not been previously provided, the Chief Executive Officer AND Chief Information Officer OR two individuals of comparable responsibilities.

Note: This requirement does not apply to scheduled maintenance, testing, or software update that has already been communicated to a banking organization.

Onboarding a New Vendor Management Protocol

Banking organizations should have a conversation with their service providers about information security. 

Ask about each provider’s vendor policy that has been implemented as a result of this rule.

Before entering into a relationship with a service provider, banking organizations should ensure that potential vendors take data security seriously.

Being proactive is the best way to minimize damage caused by computer-security incidents and data breaches. That is why it is essential to partner with reputable service providers with airtight information systems.

Miniter’s information technology department works daily to ensure our lenders are protected from cyber-security incidents and data breaches.

We pride ourselves on ensuring that our information systems are reliable and secure.

Would you like to be invited to our complimentary webinars? Subscribe here.