On November 18th, 2021, federal banking regulators announced new compliance obligations that require sharing of information involving cyber incidents that impact organizations in the U.S. banking system. This follows an overarching trend of government regulators seeking increased information sharing between the public and private sector that is specific to cyber threats.

Authors: John Farley, Eileen Yuen


Key Requirements of the Final Rule

The final rule, issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, mandates that banking organizations notify its primary federal regulator of any "significant computer security incident" as soon as possible, but no later than 36 hours after the banking organization determines that a cyber incident has occurred.

Specifically, notification is required for incidents that have materially affected, or reasonably likely to materially affect, the viability of a banking organizations operations, ability to deliver banking products and services, or the stability of the financial sector.

The final rule also requires bank service providers to notify banking organization customers of computer-security incidents that have materially affected, or is reasonably likely to materially affect, banking organization customers for four or more hours.

This new requirement goes into effect on May 1, 2022. Read the full press release on the Federal Reserve website.

Compliance Strategies

Our clients that may be impacted by this new mandate should communicate this compliance requirement to key stakeholders within their respective organizations. In addition, cyber incident response plans should be updated to reflect actions needed to meet these expectations of regulators.

Most cyber insurance policies provide 24/7 access to several breach response experts, including breach coaches that can provide regulatory compliance guidance and forensic investigators that can investigate cyber incidents quickly and efficiently. These vendors may be crucial in navigating and complying with this and other stringent reporting requirements in the aftermath of a cyber incident, and should play important roles in incident response plans.

Author Information