January 17, 2022

Volume XII, Number 17

Advertisement
Advertisement

January 15, 2022

Subscribe to Latest Legal News and Analysis

January 14, 2022

Subscribe to Latest Legal News and Analysis

Federal Bank Regulators Approve New Cybersecurity Incident Notification Rule

Last month, the FDIC, Federal Reserve Board, and the OCC announced a final rule to improve information sharing about cyber incidents that may affect the U.S. banking system.  Among other things, the final rule requires banking organizations to inform their primary federal regulator no later than 36 hours after a determination that a “computer-security incident” has reached the level of a “notification incident.”  The final rule notes that notification is required for incidents that have affected, in certain circumstances:

  • the viability of a banking organization’s operations;

  • its ability to deliver banking products and services; or

  • the stability of the financial sector.

In addition, the rule requires a bank service provider to notify banking organization customers as soon as possible when a computer-security incident occurs that “has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”  The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services” that also “experience computer security incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization” (we discussed previous guidance from the bank regulators on third-party risk management in an earlier Consumer Finance & FinTech Blog post here).

The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.

Putting It Into Practice:  The business operations and compliance management of both banking organizations and bank service providers will be impacted by the final rule.  Banks should use this time before the rule takes effect to revise their policies to implement the new rule’s requirements and also expect to include relevant notification provisions in new and existing service contracts.  This period should also include adopting or revising policies and procedures to identify a data incident and for reporting the incident to the appropriate agency.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 342
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Moorari Shah Bankruptcy Lawyer Sheppard Mullin Law Firm
Partner

Moorari Shah is a partner in the Finance and Bankruptcy Practice Group in the firm's Los Angeles and San Francisco offices. 

Areas of Practice

Moorari combines deep in-house and law firm experience to deliver practical, business-minded legal advice. He represents banks, fintechs, mortgage companies, auto lenders, and other nonbank institutions in transactional, licensing, regulatory compliance, and government enforcement matters covering mergers and acquisitions, consumer and commercial lending, equipment finance and leasing, and supervisory examinations,...

213-617-4171
A.J. S. Dhaliwal Bankruptcy Attorney Sheppard Mullin Washington DC
Associate

A.J. is an associate in the Finance and Bankruptcy Practice Group in the firm's Washington, D.C. office. 

A.J. has over a decade of experience helping banks, non-bank financial institutions, and other companies providing financial products and services in a wide range of matters including government enforcement actions, civil litigation, regulatory examinations, and internal investigations.

With a diversified regulatory, compliance, and enforcement background, A.J. counsels financial institutions in matters involving...

202-747-2323
Advertisement
Advertisement
Advertisement