Regulatory Alerts2021-11-23 | 2021-25510Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
The Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC issued a final rule requiring banking organizations to notify their primary federal regulator of significant computer-security incidents within 36 hours of determination. The regulation additionally mandates that bank service providers promptly alert affected banking customers when a cyber event causes or is reasonably likely to cause a material service disruption or degradation lasting four or more hours. By aligning incident definitions with National Institute of Standards and Technology standards and establishing strict reporting timelines, the rule aims to accelerate regulatory response to emerging cyber threats and safeguard financial system stability, with full compliance required by May 2022.