December 6, 2021

Volume XI, Number 340

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

Federal Regulators Issue New Cyber Incident Reporting Rule for Banks

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.

The final rule requires a banking organization to notify its primary federal regulator “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” The rule defines a “notification incident” as a “computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  1. Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

  2. Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or

  3. Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Under the rule, a “computer-security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

Separately, the rule requires a bank service provider to notify each affected banking organization “as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” For purposes of the rule, a bank service provider is one that performs “covered services” (i.e., services subject to the Bank Service Company Act (12 U.S.C. 1861–1867)).

In response to comments received on the agencies’ December 2020 proposed rule, the new rule reflects changes to key definitions and notification provisions applicable to both banks and bank service providers. These changes include, among others, narrowing the definition of a “computer security incident,” replacing the “good faith belief” notification standard for banks with a determination standard, and adding a definition of “covered services” to the bank service provider provisions. With these revisions, the agencies intend to resolve some of the ambiguities in the proposed rule and address commenters’ concerns that the rule would create an undue regulatory burden.

The final rule becomes effective April 1, 2022, and compliance is required by May 1, 2022. The regulators hope this new rule will “help promote early awareness of emerging threats to banking organizations and the broader financial system,” as well as “help the agencies react to these threats before they become systemic.”

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 327
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement