May 24, 2022

Volume XII, Number 144


May 23, 2022

Subscribe to Latest Legal News and Analysis

Beginning in May 2022 Banks Will Have 36 Hours to Disclose Certain Types of Cyber Incidents

Federal banking regulators issued a final rule that impacts how banks and other regulated entities report certain data incidents.  Those subject to these new reporting requirements include U.S. banks and bank service providers. The rule is effective April 1, 2022, and covered entities are expected to comply with the final rule by May 1, 2022. The new requirements reflect ongoing concern to identify and stop computer security incidents before they become systemic.

As we detail in our sister blog here, banks will have to 36 hours to notify their primary regulator after determining that they suffered a computer-security incident that rises to the level of a notification incident.  Two definitions are important for understanding when such notice is required. First, a computer-security incident is one that would result in actual harm to either information systems or underlying information in those systems. Second, a notification incident is one that materially disrupts a banking organization’s operations or lines of business.

For notices that fall in this 36 hour time frame, the notice can occur to the regulator in a variety of ways. This includes email or phone. The rule also provides for regulators to create alternate methods for notice to be submitted.

Under the rule, bank service providers will also have to notify bank clients “as soon as possible” if there is a computer-security incident that is -or is likely- to materially interferes with covered services for four or more hours.  The parties can design a notice method that works best, provided that clients get the notice in a timely manner.

Putting it Into Practice:  Banks have six months to prepare for this upcoming rapid-notice requirement. During this time they can determine how they will identify and address computer-security and notification incidents. They will also want to work with clients to determine how best to provide the four-hour notice, if such notice is ever needed. 

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 343

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

A.J. S. Dhaliwal Bankruptcy Attorney Sheppard Mullin Washington DC

A.J. is an associate in the Finance and Bankruptcy Practice Group in the firm's Washington, D.C. office. 

A.J. has over a decade of experience helping banks, non-bank financial institutions, and other companies providing financial products and services in a wide range of matters including government enforcement actions, civil litigation, regulatory examinations, and internal investigations.

With a diversified regulatory, compliance, and enforcement background, A.J. counsels financial institutions in matters involving...

Staff Attorney

Harrison Schafer is a staff attorney in the Intellectual Property practice group in the firm's Chicago office. He is a Privacy and Cybersecurity Fellow and a member of the Privacy and Cybersecurity Team. He is a certified information privacy professional (CIPP/E and CIPP/US) by the International Association of Privacy Professionals (IAPP).

Areas of Practice

As a fellow, Harrison’s practice focuses on publishing articles covering relevant legal developments in the privacy and cybersecurity space to...