The OCC, FDIC and Federal Reserve Board adopted a final rule to improve information sharing regarding cyber incidents impacting the U.S. banking system.
The rule requires banking organizations to notify their primary federal regulator of "any significant computer-security incident" no later than 36 hours after a determination is made that a cyber incident occurred. According to the interagency release, this will help the banking regulators address threats before they become systemic. Notification is required for incidents that have either materially affected or are likely to materially affect (i) the "viability" of a banking organization's operations or ability to provide products and services, or (ii) the overall stability of the financial sector. In addition, the rule requires a bank service provider to notify banking organization customers when a computer-security incident occurs that "has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours."
In a public statement, FDIC Chairman Jelena McWilliams said that the final rule addresses a "gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations, allowing the FDIC and our fellow banking supervisors to be better positioned to understand and to respond to cybersecurity threats across the banking sector." Ms. McWilliams added that through the interagency rulemaking, several changes were made to the proposed rule to resolve concerns with regards to the over-reporting of incidents.
The effective date of the rule is April 1, 2022; compliance is required by May 1, 2022.