As of April 1, 2022, banking institutions now have 36 hours to report a computer-security incident to their federal regulators (FDIC, Office of the Comptroller of the Currency, or the Federal Reserve Board).
This new rule requires much quicker assessment and action on computer-related events causing disruption to banking operations than the previous rule.
A “computer-security incident” is any occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that system processes, stores, or transmits.
But not all computer-security incidents require reporting. An incident rises to the level of requiring notification to the federal regulator if it has (or is reasonably likely to) materially disrupt or degrade a banking organization’s:
- ability to carry out its banking operations or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- business line(s) (including associated operations, services, functions, and support) that would result in a material loss of revenue, profit, or franchise value upon failure; or
- operations (including associated services, functions and support) the failure or discontinuance of which would pose a threat to the financial stability of the United States.
Notification incidents are therefore those that create a significant operational interruption. Some examples include a major system failure, such as from a failed upgrade or glitches resulting in user outages (to customers or employees); a cyber-related event that disables banking operations for an extended period of time, such as ransomware and denial-of-service attacks; or an unrecoverable system failure that activates a business continuity or disaster recovery plan.
Banking service providers must also provide notification, but to an affected banking organization they service. Such notification must occur as soon as possible once the banking service provider determines it has experienced a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services provided to the banking organization for four or more hours. This is to help the banking institution have sufficient time to determine if an incident rises to the level of requiring reporting to their regulator.
Compliance with this new reporting rule is required by May 1, 2022. Banking institutions are encouraged to review their data security policies and procedures and make sure your plans are in place now, to allow rapid impact assessments and reporting if necessary.
Contact a member of our Information and Business Technology Group if you would like to know more.
This post was written by Jessica Hauth Mozingo