Rule finalized requiring notification of cyber incidents

(Nov. 24, 2021) A final rule requiring banks to notify their federal regulators of certain cyber incidents with potentially systemic effects was approved jointly late last week; it takes effect April 1, with compliance required by May 1. NCUA has not yet adopted a similar rule for credit unions.

Adopted by the Federal Reserve, FDIC, and OCC, the final rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred, according to a notice for the Federal Register.

The final rule defines a “notification incident” as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:

  • ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • business line (or lines), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours, the notice states.


Agencies approve final rule requiring computer-security incident notification