Ask the Regulator RE: Incident Notification Rule Summarized

Written By Haley Metteauer

On April 28, 2022, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency (collectively, the “Agencies”) hosted an Ask the Regulators webinar regarding their Computer-Security Incident Notification Rule (“Rule”).  

In response to the prompted questions during the Webinar, the Agencies indicated:

  • The notification that must be made to the primary federal regulatory body does not have to comply with any specific format or with any requirements.

  • Any information disclosed in a report will be considered confidential, as subject to the agency's confidentiality rules.

  • Any notification made to the primary federal regulatory body pursuant to this Rule, will not displace or subrogate any other reporting requirements, such as those required by state or other federal regulatory bodies.

  • The definition of “materiality” under the Rule will be established by internal decision-making processes. These processes should include consideration of if they are able to continue to provide services to their customers, the period of disruption of these services, consultation with counsel or other compliance team members, and other actions your institutions deems necessary to make this determination.

    • The Agencies indicated that if a primary means of access goes down for several hours, this might likely be "material." The Agencies also indicated that "if no data is lost" or "if the antivirus blocks malware or a cyber-attack, then the incident may not be “material.”

    • The preamble of the Rule provides a non-exhaustive list of guidance as to what is “material.”

    • If an institution is unsure as to whether the incident is “material,” the Agencies encourage the institution to contact the institution's primary federal regulator.

  • A determination as to whether an incident is “material” must be completed within a “reasonable” amount of time. The Agency clarified that there is no definition as to what a “reasonable” amount of time would be. There is a timeframe for notification which will apply after the determination is made; however, no timeframe will apply to the determination period.

    • There is no requirement that an organization provide a preliminary incident report to the primary federal regulatory body.

  • The Agency clarified that a “computer incident” encompasses “any information system.”

  • The reporting requirement is on the banking organization, regardless of the origin of the incident.

Haley Metteauer
Previous

CFPB Announces Invocation of Authority to Examine Nonbank Companies
Next

UCC to Amend Model Commercial Code to Reflect Emerging Technologies