The Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve Board (FRB) have each published guidance for banks and bank service providers to assist entities in meeting new regulatory obligations on information sharing for cybersecurity incidents impacting the US banking system. The new final rule – “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” – took effect on April 1, 2022, with a compliance date of May 1, 2022.
The rule, adopted in November 2021, requires banking organizations to notify their primary federal regulator of certain computer-security incidents deemed “notification incidents” within 36 hours of determining that such an incident has occurred. The rule also requires bank service providers to notify their affected bank customers as soon as possible following the determination that a more broadly-defined “computer-security incident” was experienced causing, or likely to cause, a “material disruption or degradation [of services] for four or more hours.”
Michael Kleinman, special counsel for corporates at law firm Fried Frank, wrote in a commentary that: “Given the rule’s unique focus on notification of computer-security incidents affecting operations (rather than the more traditional, narrower focus on data breaches), banks should update their incident response plans to include procedures to determine whether a ‘notification incident’ has occurred, as well as steps to ensure that the 36-hour notification deadline will be met.”