Washington, D.C. — The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation issued a final rule yesterday requiring a bank to notify its primary federal regulator if a data breach or other computer-security incident occurs. The rule outlines that once a bank determines that an incident has occurred, a notification must be made “as soon as possible and no later than 36 hours.”
In response to the announcement of the final rule, BPI Senior Vice President, Technology and Risk Strategy Heather Hogsett issued the following statement:
BPI recognizes the value of timely notification and supports the final rule, which establishes a clear timeline and flexible process for notifying regulators and affected parties when a significant incident occurs. The rule also importantly maintains a clear distinction between notification and reporting. Cyber-incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident. Legislation to address cyber-incident reporting—a more detailed and intensive reporting mechanism—is being considered by the Senate and BPI encourages prompt passage, which would complement this rule and would further strengthen the resilience of the U.S. economy by requiring all critical infrastructure sectors to comply with the same incident-reporting rules and regulations that have applied to banks for over 20 years.
The rule becomes effective on April 1, 2022 and compliance starts May 1, 2022. In addition to regulator notification, it will require a bank service provider to notify an affected customer as soon as possible when it determines that the incident may cause material service disruption or degradation for four or more hours. The rule also seeks to more clearly define a “computer-security incident” and “notification incident,” and establishes channels by which an impacted financial institution may conduct its notification.