Final Rule Places New Cybersecurity Reporting Requirements On Banks
To print this article, all you need is to be registered or login on Mondaq.com.
Last month, the Federal Reserve System’s Board of Governors,
the Federal Deposit Insurance Corporation and the Office of the
Comptroller of the Currency approved a final rule that places
reporting requirements on banks and banking service providers.
Under this new rule, banks must report cybersecurity incidents
within 36 hours to federal regulators. In addition, banking service
providers must notify banks as soon as possible after suffering a
computer security incident. This new rule also requires banks to
inform customers of any computer security incident lasting more
than four hours.
This new rule is part of a current trend of requiring critical
infrastructures to report cybersecurity incidents. This rule goes
into effect starting April 1, 2022, and banks are required to be in
compliance by May 1, 2022. While the rule doesn’t go into
effect until next year, there are several ways that banks and
service providers can get prepared.
- Determine who will be responsible for reporting the
incident to the regulators. Cybersecurity incidents are
stressful. While the rule provides a more extended deadline than
the 12-hour reporting requirement for pipelines, 36 hours is still
a quick turnaround. Taking the time now to identify the person