A final rule on requiring banks’ notification to federal regulators of certain cyber incidents with potentially systemic impacts was approved jointly Thursday by federal banking agencies. The rule is set to take effect April 1, 2022, with compliance required by May 1.
Adopted by the Federal Reserve, Federal Deposit Insurance Corp. (FDIC), and Office of the Comptroller of the Currency (OCC), Thursday’s final rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred, according to a notice for the Federal Register.
The final rule defines a “notification incident” as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- business line (or lines), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours, the notice states.