On December 17, 2020, the Office of the Comptroller of the Currency, Treasury (OCC); the Federal Reserve; and the Federal Deposit Insurance Corporation (FDIC) issued a Notice of Proposed Rulemaking that would require financial institutions to notify their primary federal financial regulator, within 36 hours of becoming aware, that a “computer-security incident” or “notification incident” has occurred. The rule would also require bank service providers to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.” The text of the Notice of Proposed Rulemaking, titled “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” (the Proposed Notice Rule), can be found here. Interested parties are encouraged to submit comments to the Proposed Notice Rule within 90 days after the date of publication in the Federal Register.
Read more via our "Federal Financial Regulators Propose Requiring Banks Report Cyber Incidents Within 36 Hours" client alert.
