ARTICLE
21 December 2021

Computer-Security Incident Notification Requirement Takes Effect April 1, 2022

TC
Thompson Coburn LLP

Contributor

For almost 90 years, Thompson Coburn LLP has provided the quality legal services and counsel our clients demand to achieve their most critical business goals. With more than 380 lawyers and 40 practice areas, we serve clients throughout the United States and beyond.
The Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the "prudential banking regulators")...
United States Finance and Banking
To print this article, all you need is to be registered or login on Mondaq.com.

The Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (the “prudential banking regulators”) issued a final rule regarding the Computer-Security Incident Notification Requirement. 

The final rule requires that a “banking organization” notify its primary federal regulator of a “computer-security incident” that meets the level of a “notification incident.” The notification must be given to the primary federal regulator as soon as possible, and no later than 36 hours after its determined that a notification incident has happened. The final rule also contains a requirement that a “bank service provider,” defined as a “bank service company or other person that performs [services covered under the Bank Service Company Act],” notify a banking organization “as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.”

The rule defines a “computer-security incident” as “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” 12 C.F.R. §§ 53.2(4), 225.301(4), 304.22(4). A “Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's—

(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or

(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” 12 C.F.R. §§ 53.2(7), 225.301(7), 304.22(7). 

The new incident reporting requirements are separate from existing breach notification requirements issued in 2005 under the safeguarding authority granted to the prudential banking regulators by the Gramm-Leach-Bliley Act. The rule takes effect on April 1, 2022, and the compliance date is May 1, 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More