Kebra Rhedrick of Wipro Opus Risk Solutions: Learning from the Best–The Notification Rule

Kebra A. Rhedrick is Chief Compliance Counsel with Wipro Opus Risk Solutions, Lincolnshire, Ill., a specialized risk management and quality control service provider for a wide range of participants in the mortgage and consumer lending industry. For more information, visit www.wipro.com/business-process/wipro-opus-risk-solutions/.

Kebra A. Rhedrick

There are unlimited resources to inform in-house counsel tasked with developing a strong legal and compliance framework while creating practical guidance for the businesses they serve. Of course, we rely on directly applicable laws, regulations and cases, but there are always elements of tangentially pertinent, or even wholly unrelated, bodies of law and industries from which we may draw inspiration and borrow best practices. In my practice, I like to borrow from the best.

An excellent, recent resource is the final rule on “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” Though not directly applicable to my organization, Wipro Opus Risk Solutions, we’ve adopted elements to define incidents and establish designated contact requirements.

Effective April 1, with a mandatory compliance date of May 1, the Notification Rule was issued jointly by the Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency. In short, the Notification Rule establishes notice requirements for banking organizations and certain bank service providers when they experience computer-security incidents that rise to the level of notification incidents. Since notification is required before the organization may fully assess the incident, the notification requirement mainly focuses on what is affected. A prudent institution would identify systems and information that trigger the rule in advance, and we have conducted such an assessment.

The Notification Rule is not directly applicable to Wipro Opus, as it is not a banking organization or the type of service provider subject to this rule. Additionally, Wipro Opus is not a steward of systems or the amount of information that would likely trigger the rule. We operate under the advice of counsel to determine whether an incident rises to the level of being reportable to a particular client.

While the rule does not directly apply to Wipro Opus, we are vigilant about our approach to information security. We borrowed content from the Notification Rule and its commentary for internal policies, procedures and training to generally mitigate risks of inadequacy or failure of internal processes.

For example, the Notification Rule defines ‘‘computer-security incident’’ as an incident that causes actual harm to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits. We were attracted to the term “availability” in the definition and applied it internally beyond typical information security. Then, we designed a notification process with template language for instances where key resources, such as our automated compliance review technology, are not available or are at risk of not being available. Borrowing the rule’s focus on early notification regarding availability has helped us respond quickly with certainty of the course of action to resolve any issue.

In addition, a “notification incident” under the Notification Rule is a computer-security incident that rises to the level of materiality. In designing the Wipro Opus notification escalation process, we removed the Notification Rule’s “materiality” requirement and resolved to internally escalate any incident that is likely to disrupt or degrade Wipro Opus’ ability to carry out operations and services in the ordinary course of business and where the incident is reasonably likely to result in a material loss of revenue. This borrowed best practice is for any incident, not only computer-security incidents, and yields the desired effect of over-notification. It is our belief that more communication is better, and each notification may be assessed for severity and whether it warrants further communication outside the organization.

Also, there are other more ordinary items that we borrowed. For instance, the commentary to the rule indicated a need for two designated contacts while the final rule settled for one. We see the proposed requirement as a best practice for internal notifications and applied it to departments in the same manner as the rule applies to clients.

Wipro Opus serves clients who are subject to the Final Rule, and we handle their information and access their systems with a level of security designed to avoid incidents. Because of this, we’ve taken it a step further to hold ourselves to certain standards revealed in the rulemaking process, and ultimately, established in the final rule on “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” We plan further adoption in the future as the industry implements the rule, and we expect our client banking organizations to incorporate incident notification provisions in contracts.

Looking to other bodies of law and industries for relevant elements is a best practice for in-house counsel. Much like the Notification Rule, rules not directly applicable to your organization are a valuable resource and reference.

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at msorohan@mba.org; or Michael Tucker, editorial manager, at mtucker@mba.org.)