Federal Banking Agencies Approve Final Computer-Security Notification Rule

The OCC, the Board of Governors of the Federal Reserve System, and the FDIC recently published a final rule to institute a computer-security incident notification requirement for banking organizations and bank service providers.  The final rule contains two primary requirements. 

First, banks must notify their primary federal regulator as soon as possible and no later than 36 hours after the banking organization determines a notification incident has occurred.  The rule defines a computer-security incident as an occurrence that “results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” 

Second, bank service providers must notify at least one bank-designated point of contact at each affected customer bank as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, material disruption or degradation in covered services (services performed by a person subject to the Bank Service Company Act) for more than four hours.

The rule becomes effective on April 1, 2022, with compliance required by May 1, 2022.