Financial Regulators Announce Proposed 36-Hour Notification Requirement for Notification Incidents
Wednesday, December 23, 2020
Computer-Security Incident Final Rule
Print Mail Download i

On December 18, 2020, federal financial regulatory agencies, including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (collectively, the “Agencies”) announced a proposed rule (the “Proposed Rule”) that would require “banking organizations” to notify their primary federal regulator within 36 hours following any “computer-security incident” that rises to the level of a “notification incident.” The Proposed Rule also would require service providers to notify at least two individuals at the banking organizations they service immediately after experiencing a computer-security incident that materially disrupts, degrades or impairs the services they provide.

The Proposed Rule defines a “computer-security incident” as “an occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

In turn, the Proposed Rule defines a “notification incident” as “a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair—

(i) the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or

(iii) those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

The Agencies note that the purpose of the notification requirement in the Proposed Rule is to serve as an early alert to the Agencies and is not intended to provide a complete and thorough assessment of any particular incident. Early notification will enable the Agencies to:

  • become aware of emerging threats to individual banking organizations and, potentially, to the broader financial system;

  • assess the extent of a threat to a particular banking organization and take appropriate action;

  • provide information to a banking organization that may not have previously faced a particular type of notification incident;

  • better conduct analyses across supervised banking organizations to improve guidance, adjust supervisory programs, and provide information to the industry to help banking organizations protect themselves; and

  • facilitate and approve requests from banking organizations for assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection.

The banking organizations may notify the Agencies through any form of written or oral communication, including through any technological means, to their designated point of contact at each Agency. The Proposed Rule notes that a computer-security incident may be the result of non-malicious hardware or software failure or human errors but emphasizes that banking organizations that experience a computer-security incident that may be criminal in nature are expected to contact relevant law enforcement or security agencies, as appropriate, after the incident occurs.

The Agencies have requested comments on key pieces of the Proposed Rule, including (1) whether the definitions of “computer-security incident” and “notification incident” should be modified; (2) whether the 36-hour notification requirement is too short or too long; and (3) which services should require a bank service provider to notify its affected banking organization customers when those services are disrupted, and why.

Interested parties may submit comments within 90 days following publication of the Proposed Rule in the Federal Register.

Download the Proposed Rule.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Legal Analysis

More from Hunton Andrews Kurth

California Wage Hike Law for Fast Food Workers Generates Uncertainty for Some Employers
by: Kirk A. Hornbeck , Brandon Marvisi
Connecticut Attorney General Issues Report on Privacy Law Enforcement Priorities
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
May 2024 Visa Bulletin – Priority Dates Stuck in the Mud
by: Suzan Kern
EEOC and OFCCP Updates – Upcoming Deadlines, Revised Benchmarks and New Race Categories
by: Ryan A. Glasgow , Meredith Gregston
IRS Rules EV Charging Station Revenues Are Qualifying Rents From Real Property for REITs
by: George C. Howell, III , George P. Sibley, III
AI in Real Estate: Prospects and Pitfalls
by: Jimmy Bui
White House Executive Order on AI Rulemaking Efforts Advances as NTIA and White House OMB Issue Reports and Guidance
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Kentucky Set to Enact Comprehensive State Privacy Law
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
UK ICO Publishes Priorities for Protecting Children’s Privacy Online
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Policy Rescission: Avoid Relying Solely on the Broker
by: Yosef Itkin , Patrick M. McDermott

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins