Federal Banking Regulators Issue Rule Requiring 36 Hour Notice of Ransomware and Other Disruptive Cybersecurity Incidents
Monday, November 22, 2021
FDIC Rule Requiring 36 Hour Notice of Ransomware
Print Mail Download i

On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to require banking organizations to provide prompt notice to federal regulators following discovery of ransomware or other disruptive cybersecurity incidents. 

Under existing federal law (the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice), banks must notify their primary federal regulator “as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.” Banks must notify individuals if the bank’s investigation determines that misuse of the individuals’ information has occurred or is reasonably possible as a result of the incident. Banks may also have separate obligations under state data breach notification laws.  

Under the new rule, banks must be also prepared to provide very prompt notice to regulators following cybersecurity incidents that are disrupting, or are reasonably likely to disrupt, the bank’s ability to serve its customers. This notification must occur even if the bank is not aware of unauthorized access to any sensitive customer information.   

The final rule requires covered banking organizations to notify their federal regulator as soon as possible and no later than 36 hours after the banking organization determines that a “computer-security incident” has occurred and rises to the level of a “notification incident.” The notification may be done through email, telephone, or other prescribed communication methods established by each regulator.

The final rule includes the following definitions:

The rule defines a “computer-security incident” as an occurrence that “results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

The rule defines a “notification incident” as computer-security incident that “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s

  • (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

  • (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or

  • (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

The rule provides examples of when notification of a computer-security incident would be required, including major computer-system failure, a cyber-related interruption such as a ransomware attack, or any type of significant operational interruption.

The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as possible when the service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the banking organization for four or more hours.

Banking organizations and service providers should begin reviewing their incident response plans and talking with counsel about ways to prepare for this new rule. During the first 36 hours following a ransomware attack or other critical cybersecurity incident, bank leaders need to have a well-defined plan to contain and remediate the security threat, preserve forensic evidence, engage counsel and other experts, and communicate with key stakeholders and regulators.

The final rule will take effect on April 1, 2022 and full compliance will be required by May 1, 2022. Federal regulators are anticipated to provide additional guidance and notification logistics in early 2022. 

© Polsinelli PC, Polsinelli LLP in California

Current Legal Analysis

More from Polsinelli PC

HRSA Aims for Swift Dispute Resolution with new 340B ADR Final Rule
by: Mary H. Canavan , Kyle A. Vasquez
Critical Infrastructure Cybersecurity – Evolving Incident Response Obligations, Integral to Effective Risk Management
by: Romaine C. Marshall , Kurt R. Erskine
Vote Scheduled for FTC Final Rule Banning Non-Competes – What You Need to Know
by: Eric E. Packel , Sean R. Gallagher
FDA Preemption of State Law for False Labeling Survives Appeal to Supreme Court
by: Gina L. Tincher , Stacy A. Carpenter
What to Know About New York’s New Supplement Law Going into Effect this Month
by: Stuart M. Pape , Suzanne E. Bassett
The EEOC Issues its Final Rule about the Pregnant Workers Fairness Act
by: Shivani P. Bailey
Easement Fund Victory on Perpetuity Will Result in More Attention on Valuation
by: Lauren P. DeSantis-Then , William J. Sanders
Blockchain+ Bi-Weekly: Week of April 15, 2024
by: Jonathan E. Schmalfeld , Stephen A. Rutenberg
The European Union Has Assigned Your AI Some Homework
by: Aaron M. Levine , Jennifer Bauer
U.S. Federal Privacy Bill Unveiled
by: Allison G. Dressel , Lisa J. Acevedo

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins