On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule (the “Computer-Security Incident Rule” or the “Final Rule”) establishing computer-security notification requirements for banking organizations and their bank service providers. The Final Rule, which has an effective date of April 22, 2022, and mandatory compliance date of May 1, 2022, contains two major components.
First, a “banking organization” must notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization determines the notification incident has occurred. Second, a “bank service provider” must notify each affected banking organization customer as soon as possible of a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. The purpose of the Computer-Security Incident Rule’s notification requirements is to provide earlier awareness of emerging threats to banking organizations and the broader financial system.
The Final Rule defines a “computer-security incident” as an occurrence that, “(i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
A “computer-security incident” that would rise to the level of a “notification incident” triggering the Final Rule’s notification requirements includes, but is not limited to:
- A ransomware or malware attack that encrypts a core banking system or backup data;
- A large scale distributed denial of service attack that disrupts customer account access for an extended period of time;
- A failed system upgrade or change that results in widespread user outages for customers and banking organization employees; or
- A customer hacking incident that disables banking operations for an extended period of time.
The Final Rule applies to FDIC, FRB, and OCC regulated “banking organizations” (including US bank and savings and loan holding companies, national banks, and member and non-member state banks) and “bank service providers” (including service providers that perform “covered services,” such as payment processing for banks). Such banking organizations and bank service providers should promptly consult counsel to create an incident response plan and/or to implement policies and procedures needed to assure fulfillment of all the Computer-Security Incident Rule’s requirements prior to its mandatory compliance date.
For questions about this alert, please contact the authors and/or the Steptoe & Johnson Cybersecurity Team.