ARTICLE
13 December 2021

Federal Bank Regulators Approve New Cybersecurity Incident Notification Rule

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
Last month, the FDIC, Federal Reserve Board, and the OCC announced a final rule to improve information sharing about cyber incidents that may affect the U.S. banking system.
United States Finance and Banking
Moorari K. Shah and A.J. Dhaliwal
Your Author LinkedIn Connections

Last month, the FDIC, Federal Reserve Board, and the OCC announced a final rule to improve information sharing about cyber incidents that may affect the U.S. banking system. Among other things, the final rule requires banking organizations to inform their primary federal regulator no later than 36 hours after a determination that a "computer-security incident" has reached the level of a "notification incident." The final rule notes that notification is required for incidents that have affected, in certain circumstances:

  • the viability of a banking organization's operations;
  • its ability to deliver banking products and services; or
  • the stability of the financial sector.

In addition, the rule requires a bank service provider to notify banking organization customers as soon as possible when a computer-security incident occurs that "has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours." The final rule further provides that the notification requirement for bank service providers is important since "banking organizations have become increasingly reliant on third parties to provide essential services" that also "experience computer security incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization" (we discussed previous guidance from the bank regulators on third-party risk management in an earlier Consumer Finance & FinTech Blog post here).

The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.

Putting It Into Practice: The business operations and compliance management of both banking organizations and bank service providers will be impacted by the final rule. Banks should use this time before the rule takes effect to revise their policies to implement the new rule's requirements and also expect to include relevant notification provisions in new and existing service contracts. This period should also include adopting or revising policies and procedures to identify a data incident and for reporting the incident to the appropriate agency.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Moorari K. Shah
Moorari K. Shah
Photo of A.J. Dhaliwal
A.J. Dhaliwal
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More