The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the Regulators) are considering a new rule that would require banks to notify their primary federal regulator within 36 hours of when they believe certain security incidents have occurred.
The Regulators are also proposing a new rule that would require bank service providers to notify at least two individuals at the affected bank immediately after the service provider experiences a computer security incident that could disrupt, degrade, or impair the provision of services for more than four hours.
The Regulators published a notice of proposed rulemaking (NPR) in the Federal Register on January 12, 2021, which allows for public comments for 90 days (until April 12, 2021).
Banks should consider the potential impact on procedures, operations, and vendor relations. If new rules are implemented, banks may need to update numerous documents, policies, and contracts that touch on these issues.
Renewed interest in the cyber health of the financial sector
The impetus behind the NPR is not the Regulators’ desire to start policing banks’ cybersecurity programs, or a desire to add a new regulatory burden on banks and their service providers. Rather, the Regulators want to make the rules governing notification consistent, and they want to gather more information about the types of cybersecurity incidents that could impact the stability of the financial sector.
Regardless, it has been quite some time since the Regulators have addressed cybersecurity rulemaking, so it is indicative of a renewed interest in the cyber health of the financial sector.
According to the Regulators, receiving this type of information about cybersecurity incidents from banks early and often can help the Regulators gather intelligence about emerging threats to individual banks and the financial system at large.
Banks required to notify primary regulators of “notification incidents” within 36 hours
Although the NPR sets a new, somewhat strict 36-hour reporting timeline for banks experiencing a cybersecurity incident, the Regulators…