The Federal Deposit Insurance Corporation, Federal Reserve, and Office of the Comptroller of the Currency (collectively the federal banking regulators) have issued a final rule requiring banking organizations and bank service providers to make certain notifications in the event of a “computer-security incident.”

Issued on November 18, 2021, the rule takes effect April 1, 2022, providing covered organizations with some time to update their incident response processes and vendor agreements.

The rule does not change any other security incident notification requirements for banking organizations, such as those under the federal banking regulators’ Gramm-Leach-Bliley Act interagency guidelines or those requiring that law enforcement agencies be notified about potentially criminal security incidents.

Under the rule, banking organizations supervised by the respective federal banking regulators must notify the appropriate federal banking regulator supervisory office or designated point of contact no later than 36 hours after the banking organization determines that a notifiable computer-security incident has occurred.

A “computer-security incident” is defined as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” This definition is meant to align with NIST terminology and focuses on the type of incident and the incident’s effect on the banking organization, not just on specific information systems. Computer-security incidents go beyond malicious attacks and malware and include system outages with undetermined recovery times and system failures that trigger a banking organization’s business continuity or disaster recovery plans.

When a banking organization experiences a computer-security incident, the incident is notifiable if it materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, a banking organization’s (1) ability to carry out operations, activities, or processes or deliver banking products and services to a material portion of its customer base; (2) business lines that upon failure would result in a material loss of revenue, profit, or franchise value, or (3) operations where the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Bank service providers that provide banking organizations with services covered by the Bank Services Company Act must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible after determining that the service provider experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to a banking organization for four or more hours. The rule applies to bank service providers regardless of their service delivery model (eg, on premises, SaaS, or shared-responsibility model). Once a banking organization receives notice of a computer-security incident from its service provider, the banking organization must then determine whether it must notify its respective federal banking regulator about the incident. The federal banking regulators were clear in the rule’s explanation that the rule will supersede any conflicting contractual security incident notice requirements between a bank service provider and a banking organization.

The rule does not require a notification, whether it is made by a banking organization or a bank service provider, to include any specific content or information. The notice should simply include general information about the computer-security incident that is known at the time. That is because the federal banking regulators want to give banking organizations the flexibility to determine the content of the notification, given the relatively short 36-hour notice window.

Notices filed with the federal banking regulators will be subject to the regulators’ confidentiality rules, which provide protections for confidential, proprietary, examination/supervisory, and sensitive personal information; however, the federal banking regulators cannot guarantee that computer-security incident notifications are not subject to Freedom of Information Act requests, which must be handled on a case-by-case basis.

Notably, the rule excludes organizations that are designated financial market utilities, as these organizations are already required to notify their supervisory regulators in the event of an incident.