FDIC Announces New Computer-Security Incident Notification Requirement For Banking Organizations and Their Bank Service Providers

Co-authored by River Mullan

In November 2021, the FDIC announced that U.S financial regulators have approved a new rule that would require banking organizations to report any significant computer-security incident within 36 hours of discovery to both its primary federal regulator and banking organization customers that are likely to be materially affected for four or more hours. Computer-security incidents are defined as those that affect, or are likely to affect, the viability of a lender’s operations, stability of the financial system, or its products and services to customers. These incidents can range from ransomware attacks, malware infections and all the way up to full on Distributed Denial of Service (DDoS) attacks.

This rule, approved by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC), will take effect on April 1, 2022, with full compliance expected by May 2022, will also extend to bank service providers. These service providers will be asked to notify the primary point of contact at its banking clients as soon as possible when a computer-security incident has materially disrupted or degraded covered services for four or more hours. The rule defines “covered services” as services performed by a bank service provider that are subject to the Bank Service Company Act (12 U.S.C. 1861 – 1867).

As a result of the finalization of this rule, organizations in the banking industry should consider revisiting their incident response plans to confirm that policies and procedures related to communication to affected parties are in-line with the standards outlined in this new rule. Further, they should confirm that third-party vendors providing covered services have an incident response plan that contains policies and procedures that include contacting the appropriate primary point of contact to ensure compliance with the standards in this new rule.

For more information and specific details on the standards outlined in this rule, visit the FDIC website.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.