Federal Bank Regulators Approve New Cybersecurity Incident Notification Rule

• Published date: 02 December 2021
• Subject Matter: Finance and Banking, Technology, Financial Services, Security
• Law Firm: Kramer Levin Naftalis & Frankel LLP
• Author: Mr Alan Friedman, Richard E. Farley, Robin Wilcox, Boaz I. Cohen, Daniel Lennard, Austin Manes, Martin M. McSherry, Leslie Kroeger and Randy Kreider

On Nov. 18, 2021, federal bank regulatory agencies approved a final rule requiring banking organizations to notify regulators of "any significant computer-security incident" as soon as possible and no later than 36 hours after a determination that such an incident occurred.¹

The rule will take effect on April 1, 2022. Compliance is required for banking organizations and their bank service providers by May 1, 2022.

The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corp. (FDIC) and the Board of Governors of the Federal Reserve System (Board) (together, the "agencies") issued the final rule, which will require a banking organization to notify its primary federal regulator of any "computer-security incident" that rises to the level of a "notification incident." A "computer-security incident" is defined as one that results in "actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits." A "notification incident" is defined as "a computer-security incident" that has disrupted or degraded, or is reasonably likely to disrupt or degrade, a banking organization's

(i) ability to carry out banking operations, activities or processes, or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value; or

(iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In addition, the rule will require bank service providers to notify at least one designated point of contact at any affected banking organization customer as soon as possible when the provider experiences any computer-security incident that has disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization customer for four or more hours.

Background

Cyberattacks targeting banking organizations have become more frequent and severe over time. In addition to threatening the stability of the financial system, these cyberattacks can harm banking organizations' networks, data and systems, and potentially disable their operations or prevent customers from...