A coalition of trade associations comprised of the American Bankers Association, Bank Policy Institute, the Institute of International Bankers, and Securities Industry Financial Markets Association submitted recommendations in response to a notice of proposed rulemaking issued by the federal banking agencies to establish new computer-security incident notifications for banks and their service providers.
The organizations strongly support the agencies’ policy goals and recommend several changes to the proposal that would enhance the effectiveness of the outcomes, would enable financial institutions to achieve a 36-hour notification timeline, and that would apply equally to both banks and non-bank chartered financial technology companies. These changes would help to minimize time spent on reporting exercises for minor, low-risk incidents, and would free up institutions to dedicate their talent and resources to addressing incidents that affect core bank functions. Furthermore, the letter:
- Encourages the agencies to recognize existing contractual requirements that require service providers to report computer-security incidents and to allow these existing provisions to satisfy the reporting requirements considered under the rule;
- Encourages the agencies to include a determination of how the information will be used and secured once the rule goes into effect; and
- Proposes modifying the title of the rule to more appropriately reflect its scope.