Federal Agencies Announce a New 36-Hour Cybersecurity Incident Rule Reporting Requirement | Cozen O’Connor

On November 18, 2021, the Office of the Comptroller of the Currency (“OCC”),  the Board of Governors of the Federal Reserve System (“Board”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, the “Agencies”) issued a new rule (the “Rule”) that requires banking organizations and their bank service providers to report any “significant” cybersecurity incident within 36 hours of discovery, as set forth in the Federal Register (see 12 CFR Part 53 for the OCC, 12 CFR Part 225 for the Board and 12 CFR Part 304 for the FDIC). Due to the frequency and severity of cyberattacks on the financial services industry, the Rule is intended to promote the timely notification of “computer-security incidents” (as defined below) that may materially and adversely affect entities regulated by the Agencies. The Rule takes effect on April 1, 2022, with full compliance required by May 1, 2022.

Which entities does this Rule apply to?

The Rule applies to FDIC, Board, and OCC regulated “banking organizations.” The definition of a banking organization differs based on the applicable federal regulator:

  • FDIC: an FDIC-supervised insured depository institution, including all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations
  • Board: a U.S. bank holding company, U.S. savings and loan holding company, state member bank, the U.S. operations of foreign banking organizations, and an Edge Act or agreement corporation
  • OCC: a national bank, federal savings association, or federal branch or agency of a foreign bank

The Rule also applies to a “bank service provider,” which is defined as a “bank service company” or other person who performs “covered services,” which are services performed by a “person” that are subject to the Bank Service Company Act (“BSCA”) (12 U.S.C. §§ 1861–1867). Services covered by the BSCA include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical, bookkeeping, accounting, statistical, or similar functions such as data processing, online banking, and mobile…