(Nov. 24, 2021) A final rule requiring banks to notify their federal regulators of certain cyber incidents with potentially systemic effects was approved jointly late last week; it takes effect April 1, with compliance required by May 1. NCUA has not yet adopted a similar rule for credit unions.
Adopted by the Federal Reserve, FDIC, and OCC, the final rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred, according to a notice for the Federal Register.
The final rule defines a “notification incident” as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
- ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- business line (or lines), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours, the notice states.