Federal Banking Agencies Issue Cyber Incident Notification Requirements | Practical Law

Federal Banking Agencies Issue Cyber Incident Notification Requirements | Practical Law

Federal banking agencies have issued a final rule requiring banking organizations to notify their primary federal regulator within 36 hours of determining certain material computer-security incidents have occurred. Bank service providers also must notify affected banking organization customers as soon as possible of computer-security incidents that materially disrupt or degrade covered services for four or more hours.

Federal Banking Agencies Issue Cyber Incident Notification Requirements

Practical Law Legal Update w-033-4823 (Approx. 4 pages)

Federal Banking Agencies Issue Cyber Incident Notification Requirements

by Practical Law Data Privacy Advisor
Published on 22 Nov 2021USA (National/Federal)
Federal banking agencies have issued a final rule requiring banking organizations to notify their primary federal regulator within 36 hours of determining certain material computer-security incidents have occurred. Bank service providers also must notify affected banking organization customers as soon as possible of computer-security incidents that materially disrupt or degrade covered services for four or more hours.
On November 18, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB), and the Federal Deposit Insurance Corporation (FDIC) (collectively, banking agencies) issued a final rule requiring banking organizations to notify their primary federal regulator within 36 hours of determining a material computer-security incident has occurred.
The rule defines computer-security incident as an event that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits (12 C.F.R. § 53.2(4)).
Under the rule, a banking organization must notify its primary federal regulator of a computer-security incident that rises to the level of a "notification incident." Specifically, notification obligations apply to incidents that have materially disrupted or degraded or are reasonably likely to materially disrupt or degrade a banking organization's:
  • Ability to carry out banking operations or deliver banking products or services to a material portion of its customer base in the ordinary course of business.
  • Business lines, resulting in a material loss of revenue, profit, or franchise value.
  • Operations, the failure of which would pose a threat to the financial stability of the US.
    (12 C.F.R. § 53.2(b)(7).)
Banking organizations must notify their primary federal regulator as soon as possible and no later than 36 hours after determining that an incident has occurred (12 C.F.R. § 53.3).
According to the banking agencies, examples of notification incidents include:
  • Large-scale distributed denial-of-service attacks that disrupt customer account access for an extended period of time.
  • Widespread system outages with undeterminable recovery times.
  • Failed system upgrades resulting in widespread user outages.
  • Unrecoverable system failures that trigger a banking organization's business continuity or disaster recovery plan.
  • Computer hacking incidents.
  • Malware that poses an imminent threat to the banking organization's core business lines.
  • Ransomware attacks that encrypt a core banking system or backup data.
Bank service providers also must notify each affected banking organization customer of a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services for four or more hours. This notification must be made as soon as possible and does not apply to previously communicated scheduled maintenance or testing (12 C.F.R. § 53.4(a), (b)).
The rule applies to banking organizations, with the exception of designated financial market utilities, that are regulated by:
  • The OCC, which includes national banks, federal savings associations, and federal branches and agencies of foreign banks (12 C.F.R. § 53.2(b)(1)).
  • The FRB, which includes US bank holding companies and savings and loan holding companies, state member banks, the US operations of foreign banking organizations, and edge and agreement companies (12 C.F.R. § 225.301(b)(1)).
  • The FDIC, which includes insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations (12 C.F.R. § 304.22(b)(1)).
The banking agencies noted that they generally aligned the definitions of computer-security incident and notification incident with the terminology the National Institute of Standards and Technology uses to promote consistency with known cybersecurity terms.
The rule is effective on April 1, 2022, with a compliance date of May 1, 2022.