(Dec. 23, 2020) All three federal banking agencies late last week jointly released a proposal requiring banks and banking organizations they supervise to promptly notify their primary federal regulator in the event of a computer security incident.
The joint release follows the individual adoption of the proposal by each agency (such as by the FDIC Board) earlier in the week.
Under the proposal, notification (or alerts) would be required for incidents that could result in a banking organization’s inability to deliver services to a material portion of its customer base, jeopardize the viability of key operations of a banking organization, or impact the stability of the financial sector.
The agencies said the proposed rule is intended to provide the agencies with an early warning of significant computer security incidents and would require notification as soon as possible and no later than 36 hours after a banking organization determines that an incident has occurred.
NCUA did not join in the proposal.
In addition, the agencies said, the proposal would require service providers to notify affected banking organizations immediately when the service provider experiences computer security incidents that materially disrupt, degrade, or impair certain services they provide.