Proposal requires ‘prompt’ alert to security incidents

(Dec. 18, 2020) A new proposal that would require financial institutions to provide “prompt notification” to their federal regulators upon occurrence of a security incident may be coming to an NCUA Board meeting in the not-so-distant future.

This week, federal banking regulators released a joint proposal (with a 90-day comment period) requiring banks to provide the notification no later than 36 hours after the banking organization believes in good faith that an incident occurred. The notification requirement, the proposal states, is intended to serve as an early alert to a banking organization’s primary federal regulator “and is not intended to provide an assessment of the incident.”

NCUA was not included in the joint release. However, given the scope of the proposal (and the recent highly publicized SolarWinds hack) it’s possible the credit union regulator may soon issue its own version for entities under its supervision.

However, the bank regulators’ proposal does something NCUA cannot now do: require a bank service provider to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.

Also this week, the FDIC for the first time included consideration of competition presented by credit unions when less-than-well-capitalized banks are facing interest rate restrictions by the regulator. Under the new rule adopted by the agency’s board, interest rates offered by credit unions in a market area could be cited by a bank as a way of mitigating the level of restrictions.

Joint proposal: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers