Federal Regulators Issued Joint Final Rule Establishing Computer-Security Incident Notification Requirements
On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule establishing notice requirements for computer-security incidents occurring in banking organizations and bank service providers.
Under the final rule, FDIC-supervised banking organizations will be required to notify the FDIC[1] no later than 36 hours after the bank determines that a “computer-security incident” that rises to the level of a “notification incident” has occurred.
“Computer-security incident” is defined as an occurrence that:
results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or
constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
“Notification incident” is defined as
“[A] computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair—
The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
If you have any questions or concerns regarding this final rule, please contact Kennedy Sutherland.
[1] The banking organization must provide this notification to the appropriate FDIC supervisory office, or an FDIC-designated point of contact, through email, telephone, or other similar methods that the FDIC may prescribe.