Last month, the FDIC, Federal Reserve Board, and the OCC announced a final rule to improve information sharing about cyber incidents that may affect the U.S. banking system.  Among other things, the final rule requires banking organizations to inform their primary federal regulator no later than 36 hours after a determination that a “computer-security incident” has reached the level of a “notification incident.”  The final rule notes that notification is required for incidents that have affected, in certain circumstances:

  • the viability of a banking organization’s operations;
  • its ability to deliver banking products and services; or
  • the stability of the financial sector.

In addition, the rule requires a bank service provider to notify banking organization customers as soon as possible when a computer-security incident occurs that “has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”  The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services” that also “experience computer security incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization” (we discussed previous guidance from the bank regulators on third-party risk management in an earlier Consumer Finance & FinTech Blog post here).

The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.

Putting It Into Practice:  The business operations and compliance management of both banking organizations and bank service providers will be impacted by the final rule.  Banks should use this time before the rule takes effect to revise their policies to implement the new rule’s requirements and also expect to include relevant notification provisions in new and existing service contracts.  This period should also include adopting or revising policies and procedures to identify a data incident and for reporting the incident to the appropriate agency.