On November 18, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,”) finalized the Computer-Security Incident Notification Requirements (the ‘Notification Rule’) for banking and their service providers.
First introduced in December 2020, the Notification Rule expands and clarifies existing notification requirements for financial institutions, which are primarily focused on consumer protection and suspicious activity reporting.
Key highlights include:
Notification requirements applicable to Banking Institutions
Timing of notification to Agencies: Notification to be done as soon as possible and no later than 36 hours
Method of notification to Agencies: Banking institutions are just required to indicate that a notification incident has occurred by using any form or template (email, telephone, or other similar method prescribed by the agencies)
Notification requirements applicable to Bank Service Provider
Timing of Bank Service Provider Notification to banking organization customers: Notice must be provided as soon as possible by the Bank Service Provider when the determination has been made that an it has experienced a notification incident.
Bank Service Provider Notification to banking organizations customers: These entities must notify ‘‘at least one bank designated point of contact at each affected banking organization customer.’’ If no such contact has been designated, the financial institution’s chief executive officer and chief information officer (or two individuals with comparable responsibilities) must be notified.
A “computer-security incident” is defined in Final Rule as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”
A “notification incident” is defined as “a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s —
Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
The Notification Rule is scheduled to take effect on April 1, 2022 with full compliance required beginning by May 1, 2022.