In fall 2021, the banking agencies issued a final ruled regarding computer-security incident notifications. See how this new rule impacts your bank.
This blog was authored by my colleague Bonnie Newsome, NCCO, CUCE, BSACS, Regulatory Compliance Director, Financial Institutions.
In fall 2021, the banking agencies (Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), and Federal Deposit Insurance Corporation (FDIC)) issued a final ruled regarding computer-security incident notifications.
Effective April 1, 2022, the OCC, Board, and FDIC will require a banking organization to notify its primary Federal regulator, and a bank service provider to notify each affected banking organization customer, of any “computer-security incident” that rises to the level of a “notification incident.”
To understand this ruling, it is important to understand certain definitions.
- A banking organization includes all depository institutions, hold companies, and certain other financial entities that are supervised by one or more of the agencies.
- A bank service provider means a bank service company or other person that performs covered services.
- Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
- Notification incident is a computer-security incident that has materially disrupted or degraded or is reasonably likely to materially disrupt or degrade a banking organization’s ability to carry out banking functions to it customer base, in the ordinary course of business; failure would result in a material loss of revenue, profit, or franchise value; or failure or discontinuance would pose a threat to the financial stability of the United States.
Beginning May 1, 2022, a banking organization is required to notify its primary regulator upon the occurrence of a “notification incident,” but no later than 36 hours after the determination of “notification incident” has occurred. Bank service providers will be required to notify at least one bank-designated point of contact at each affected banking organization as soon as possible once a determination has been made that it has experienced a computer-security incident.
Notification can be done through email, telephone, or other similar methods as prescribed by your appropriate agency. The final rule can be accessed here.
How Can We Help?
CLA continues to provide seamless, integrated services to our clients. Whether you need help navigating new regulatory rules, require risk management services, or need a trusted advisor, we are here to know you and to help you. Contact Us to learn more.
Want to learn more? Complete the form below and we'll be in touch. If you are unable to see the form below, please complete your submission here.Contact us