The Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency in November 2021 issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.The final rule requires a banking organization to notify its primary federal regulator “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” The rule defines a “notification incident” as a “computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s:
Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”