Federal Banking Regulators Issue Rule Requiring 36 Hour Notice of Ransomware and Other Disruptive Cybersecurity Incidents

Polsinelli
Contact

Polsinelli

On November 18, 2021, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency issued a joint final rule to require banking organizations to provide prompt notice to federal regulators following discovery of ransomware or other disruptive cybersecurity incidents. 

Under existing federal law (the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice), banks must notify their primary federal regulator “as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.” Banks must notify individuals if the bank’s investigation determines that misuse of the individuals’ information has occurred or is reasonably possible as a result of the incident. Banks may also have separate obligations under state data breach notification laws.  

Under the new rule, banks must be also prepared to provide very prompt notice to regulators following cybersecurity incidents that are disrupting, or are reasonably likely to disrupt, the bank’s ability to serve its customers. This notification must occur even if the bank is not aware of unauthorized access to any sensitive customer information.   

The final rule requires covered banking organizations to notify their federal regulator as soon as possible and no later than 36 hours after the banking organization determines that a “computer-security incident” has occurred and rises to the level of a “notification incident.” The notification may be done through email, telephone, or other prescribed communication methods established by each regulator.

The final rule includes the following definitions:

The rule defines a “computer-security incident” as an occurrence that “results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

The rule defines a “notification incident” as computer-security incident that “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s

  • (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

The rule provides examples of when notification of a computer-security incident would be required, including major computer-system failure, a cyber-related interruption such as a ransomware attack, or any type of significant operational interruption.

The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as possible when the service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the banking organization for four or more hours.

Banking organizations and service providers should begin reviewing their incident response plans and talking with counsel about ways to prepare for this new rule. During the first 36 hours following a ransomware attack or other critical cybersecurity incident, bank leaders need to have a well-defined plan to contain and remediate the security threat, preserve forensic evidence, engage counsel and other experts, and communicate with key stakeholders and regulators.

The final rule will take effect on April 1, 2022 and full compliance will be required by May 1, 2022. Federal regulators are anticipated to provide additional guidance and notification logistics in early 2022. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Polsinelli | Attorney Advertising

Written by:

Polsinelli
Contact
more
less

Polsinelli on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.