January 27, 2022

Volume XII, Number 27

Advertisement
Advertisement

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis

Computer-Security Incident Rule Creates New Notification Requirements for Banking Organizations and Bank Service Providers

On November 18, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) issued a joint final rule (the “Computer-Security Incident Rule” or the “Final Rule”) establishing computer-security notification requirements for banking organizations and their bank service providers. The Final Rule, which has an effective date of April 22, 2022, and mandatory compliance date of May 1, 2022, contains two major components.

First, a “banking organization” must notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization determines the notification incident has occurred. Second, a “bank service provider” must notify each affected banking organization customer as soon as possible of a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. The purpose of the Computer-Security Incident Rule’s notification requirements is to provide earlier awareness of emerging threats to banking organizations and the broader financial system.

The Final Rule defines a “computer-security incident” as an occurrence that, “(i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

A “computer-security incident” that would rise to the level of a “notification incident” triggering the Final Rule’s notification requirements includes, but is not limited to:

  • A ransomware or malware attack that encrypts a core banking system or backup data;

  • A large scale distributed denial of service attack that disrupts customer account access for an extended period of time;

  • A failed system upgrade or change that results in widespread user outages for customers and banking organization employees; or

  • A customer hacking incident that disables banking operations for an extended period of time.

The Final Rule applies to FDIC, FRB, and OCC regulated “banking organizations” (including US bank and savings and loan holding companies, national banks, and member and non-member state banks) and “bank service providers” (including service providers that perform “covered services,” such as payment processing for banks). Such banking organizations and bank service providers should promptly consult counsel to create an incident response plan and/or to implement policies and procedures needed to assure fulfillment of all the Computer-Security Incident Rule’s requirements prior to its mandatory compliance date.

© Steptoe & Johnson PLLC. All Rights Reserved.National Law Review, Volume XI, Number 341
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Shawn Morgan, Trial Attorney, Federal Court Litigator, Grand Jury Witness Appearances, Steptoe Johnson Law Firm
Member

Shawn Morgan’s has extensive trial experience in the area of federal court litigation and is skilled in handling government investigations and grand jury witness appearances.  She is a 13-year veteran of the U.S. Attorney’s Office, Northern District of West Virginia, where she has prosecuted federal criminal cases.  Prior to joining the U.S. Attorney’s Office, she spent four years as a judicial clerk for The Honorable Irene M. Keeley and three years in private practice in Clarksburg.  She leads the firm’s Cybersecurity Breach Response Team and currently serves as...

(304) 933-8119
Edward Rice Financial Attorney Steotoe Johnson Law Firm
Member

Ed Rice views legal issues and challenges from the client perspective, and understands that the ultimate purpose of all legal work is to meet client business objectives. Ed’s insights on client service come from his significant and diverse in-house counsel experience, including stints as General Counsel to a cutting edge fintech company in Montana, senior level legal positions in large banking institutions, and his many years in private practice counselling a diverse portfolio of financial services, fintech, technology and industrial clients. Ed’s clients view him as their partner and an...

412-504-8054
Joseph R. Lewis III Corporate Attorney Steptoe & Johnson Pittsburgh
Associate

Like Joe Louis the heavyweight boxing champ, Joe Lewis the attorney doesn’t pull any punches.  He uses this forthright approach to solve legal and business issues for corporate clients. Joe is at the table with his clients in a variety of situations and in every stage of the lifecycle of their business.  Clients turn to Joe for a variety of transactions, including mergers and acquisitions, asset financing and purchases, and divestitures of business assets and real estate. Joe often supports senior litigators in the firm and is a valuable resource in defending complex ...

412-504-8025
Advertisement
Advertisement
Advertisement