Agencies Finalize Rule Regarding Notification of Cyber Attacks

The federal banking agencies today finalized a rule requiring banks to notify their primary regulator within 36 hours of becoming aware that a “computer-security incident” that rises to the level of a “notification incident,” has occurred. The rule also requires bank service providers to notify affected banking organization customers as soon as possible when it determines that it experienced a computer-security incident that “has or is likely to materially affect customers for four or more hours.” The agencies said compliance with the final rule is required by May 1, 2022.

The rule defines a computer-security incident as an occurrence that results in actual harm to an information system or the information contained within it. It defines a notification incident as one that has—or is likely—to materially disrupt or degrade banking operations, activities or processes or delivery of products to customers, among other things.

After the rule was proposed, the American Bankers Association put together a working group of 100 members to raise concerns about the rule. The association has also called on regulators to continue acknowledging the importance of voluntary notice of cyber incidents and develop flexible notice options that are responsive to needs of the financial system.