The FDIC, Board of Governors of the Federal Reserve System, and OCC (the Agencies) recently issued a joint notice of proposed rulemaking that would require a banking organization to notify its primary federal regulator of any computer-security incident that the banking organization believes in good faith rises to the level of a notification incident. Comments must be received by April 12, 2021.
The proposal would require a banking organization to notify its primary federal regulator as soon as possible and no later than 36 hours after determining that a notification incident has occurred. The proposal explains that a computer-security incident includes occurrences that: (i) result in actual or potential harm to the confidentiality, integrity, or availability of an information system; or (ii) violate or immediately threaten to violate security policies, procedures, or acceptable use policies. The proposal explains that a notification incident includes a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair various banking operations.
Additionally, the proposal would require a bank service provider that provides services described in the Bank Service Company Act to notify at least two individuals at affected banking organization customers immediately after a computer-security incident that it believes in good faith could disrupt, degrade, or impair services for four or more hours. The Agencies explain that a bank service provider is not expected to determine if the computer-security incident rises to the level of a notification incident because it may not know if the service is critical to the banking organization’s operations.
The Agencies explain that the notification requirement is intended to serve as an early alert to the banking organization’s primary federal regulator. No specific information is required in the notice, and it can be provided through any form of written or oral communication.