The Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation provided notice of proposed rulemaking concerning notification requirements for computer-security incidents for banking
organizations and their bank service providers.
The proposed rulemaking was submitted for comments in January 2021 and, if finalized, would require banking organizations and bank service providers to notify regulators upon the occurrence of an incident, such as a data breach, as soon as possible and no later than 36 hours, with the expectation that only general information about what is known at the time of incident be communicated.
A banking organization would be required to notify its primary federal regulator in the event of a “notification incident,” defined as 'a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair
(i) The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
(iii) Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.'
A banking organization and a bank service provider would be allowed to use any communication means, including technological, to send the information to its primary federal regulator, information that would be subject to the confidentiality rules.
In addition, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the occurrence of a computer security incident that it believes could disrupt, degrade, or impair services provided for four or more hours.
Interested stakeholders must provide their comments by April 12, 2021.