Published Article
Computer-Security Incident Notification Requirements for Banks Become Effective
Read Time: 2 minsOn November 23, 2021, the Board of Governors of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”), jointly issued a final rule with respect to establishing notification requirements for computer-security incidents for banking organizations and bank service providers in order to promote early awareness of emerging threats and enable the agencies to react to the threats before the threats become systemic (“Final Rule”). The Final Rule went into effect on April 1, 2022, with a compliance date of May 1, 2022. The Final Rule is applicable to all banking organizations that are supervised by the Federal Reserve, OCC, and FDIC, but does not apply to designated financial market utilities under 12 U.S.C. § 5462(4).
The Final Rule defines a “notification incident,” which includes a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector. The types of incidents can include major computer-system failure or a cyber-related interruption such as a ransomware attack. The Final Rule also defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
A banking organization is required to notify the Board within thirty-six hours after the bank determines the notification incident occurred. If a bank is unsure whether a notification incident occurred, it is encouraged to still contact the Board. A bank service provider is required to notify each affected bank customer’s point of contact as soon as possible once it determines that it has experienced a computer-security incident. If the bank has not appointed a point of contact, the bank service provider must notify the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals with comparable responsibilities, through any reasonable means. If a bank service provider has any doubt as to whether there is a material disruption or degradation in services that were provided to its banking organization customer for four or more hours that would cause a material adverse impact on the bank, the Board encourages the bank service provider to contact its banking organization customer or its own legal adviser.
Reprinted with permission from the American Bar Association’s Business Law Today May Month-In-Brief: Business Regulation & Regulated Industries.