Federal banking regulators issued a final rule that impacts how banks and other regulated entities report certain data incidents. Those subject to these new reporting requirements include U.S. banks and bank service providers. The rule is effective April 1, 2022, and covered entities are expected to comply with the final rule by May 1, 2022. The new requirements reflect ongoing concern to identify and stop computer security incidents before they become systemic.
As we detail in our sister blog here, banks will have to 36 hours to notify their primary regulator after determining that they suffered a computer-security incident that rises to the level of a notification incident. Two definitions are important for understanding when such notice is required. First, a computer-security incident is one that would result in actual harm to either information systems or underlying information in those systems. Second, a notification incident is one that materially disrupts a banking organization’s operations or lines of business.
For notices that fall in this 36 hour time frame, the notice can occur to the regulator in a variety of ways. This includes email or phone. The rule also provides for regulators to create alternate methods for notice to be submitted.
Under the rule, bank service providers will also have to notify bank clients “as soon as possible” if there is a computer-security incident that is -or is likely- to materially interferes with covered services for four or more hours. The parties can design a notice method that works best, provided that clients get the notice in a timely manner.
Putting it Into Practice: Banks have six months to prepare for this upcoming rapid-notice requirement. During this time they can determine how they will identify and address computer-security and notification incidents. They will also want to work with clients to determine how best to provide the four-hour notice, if such notice is ever needed.