Bank Computer Security Incident Notification Requirements

/in


Thursday, December 16, 2021

The three prudential bank regulators published Final Rules for Computer-Security Incident Notification Requirements (Final Rules) on November 23, 2021. The purpose of the Final Rules is to promote timely notification of computer-security incidents that materially and adversely affect an insured depository institution. The new rules apply to insured depository institutions and to bank service company providers performing covered services for financial institutions. The Final Rules take effect on April 1, 2022, with full compliance extended to May 1, 2022. 

Notification required under the Final Rules must be made by an insured depository institution to its primary federal banking regulator as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. Notification must be made by a bank service provider to each affected banking organization as soon as possible when the bank service provider determines it has experienced a computer breach incident that has materially disrupted or degraded the covered service for more than four hours.

Key to the duties to report are the definitions of two terms: “computer security incident” and “notification incident.” A computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or information that the system processes, stores, or transmits. A notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s (i) ability to carry out banking operations, activities, or processes or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business lines, including associated operations, services, functions, and support that, upon failure, would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions, and support, as…

Source…