Banks, service providers must comply by May 1 with consumer-security incident notification rule, FDIC letter reminds

May 1 is the compliance date for a final rule establishing computer-security incident notification requirements for banks and bank service providers, the federal bank deposit insurance agency reminded in a letter Tuesday.

In a financial institution letter (FIL-12-2022), the Federal Deposit Insurance Corp. (FDIC) noted that the final rule, issued by it and the other federal banking agencies (the Federal Reserve and the Office of the Comptroller of the Currency [OCC]) in November, requires bank service providers to notify any affected FDIC-supervised banking organization customer as soon as possible when the service provider finds it has experienced a computer-security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to such banking organization for four or more hours.”

As for banks, the FDIC said, they can comply with the rule by reporting an incident to their institution’s case manager, who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination.

If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email, the agency said.

Computer-Security Incident Notification Implementation