The federal banking agencies (FRB, FDIC, and OCC) have issued their final rule to require banks to notify their primary federal regulatory of any “computer-security incident” that rises to the level of a “notification incident”, as soon as possible and no later than 36 hours after the bank determines that a notification incident has occurred.
The rule defines a “computer-security incident” as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
“Notification incident” is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The final rule is effective April 1, 2022 and has a compliance data of May 1, 2022. The full final rule may be viewed here.