On November 18, 2021, a group of federal bank regulators
announced a final rule
requiring banks to notify their primary federal regulator of any
“significant computer-security incidents.” Regulators
must be notified no later than thirty-six hours after the bank has
determined that the incident triggers the rule’s notification
requirement. Further, bank service providers are now required to
promptly notify all affected banks whenever a cybersecurity
disruption lasts for four or more hours.
The rule is the latest regulation requiring entities who have
suffered a cybersecurity incident to promptly notify a government
agency. Unlike some of those regulations, this rule is not linked
to compromised consumer data.
The rule was initially proposed in
January 2021. In the intervening months, both President Biden and
Federal Reserve Chair Powell have described cyber-attacks as a
major threat to the private and public sectors. In May 2021,
President Biden issued an executive order to bolster federal
cybersecurity standards. Congress, as part of its annual defense
policy bill, is currently debating a proposal to require certain
entities to report cyber intrusions to the federal government.
The rule was jointly issued by the Board of Governors of the
Federal Reserve (“Board”), the Federal Deposit Insurance
Corporation (“FDIC”), and the Office of the Comptroller
of the Currency (“OCC”). All three have adopted nearly
identical versions of the rule, differing only to identify the
specific banking organizations subject to their individual
authority. Each regulator cites different statutes as the basis of
its authority, including the Federal Deposit Insurance Act, the
Home Owners’ Loan Act, the Bank Service Company Act, and the
Federal Reserve Act. The Gramm-Leach-Bliley Act is not a basis of
the rule’s authority.
The agencies note the increasing frequency and severity of
cyberattacks on the financial services industry as a key motivator
for the rule. They write that the new rule will allow them to
better detect and assess cybersecurity threats, facilitate
assistance to victims, and provide information to other banks.
The rule has two prongs: (1) banks are now required to notify
their primary federal regulator when they suffer from certain
disruptive cybersecurity incidents; and (2) bank service providers
must notify affected customer banks when an incident disrupts
covered services for four or more hours.
Banks Must Notify Their Primary Federal Regulator
Each regulator defined a banking organization according to their
- For the OCC, this includes national banks, federal savings
associations, and federal branches of foreign banks.
- The Board subjects all U.S. bank holding companies, state
member banks, and U.S. operations of foreign banks to the
- The FDIC defines “banking organizations” to include
all insured state nonmember banks and insured state-licensed
branches of foreign banks.
The rule does not apply to financial market utilities, financial
technology firms, and non-bank OCC-chartered entities. Altogether,
the regulation will apply to most traditional depository
The rule is concerned about actual harm to the confidentiality,
integrity, or availability of an information system – or the
information on the system. These occurrences are
When a “computer-security incident” materially
disrupts a bank’s ability to carry out ordinary operations,
results in a material loss in revenue, or poses a threat to the
financial stability of the United States, the bank must notify its
primary federal regulator. These kinds of computer-security
incidents are referred to as “notification
The rule provides a non-exhaustive list of “notification
incidents” that would require notification:
- large scale distributed denial of service attacks that disrupt
customer access for more than 4 hours;
- a bank service provider experiences widespread system outages
with no determinable recovery time;
- a failed system upgrade results in widespread user
- an unrecoverable system failure that triggers the bank’s
disaster recovery plan;
- a computer hacking incident that disables banking operations
for an extended period of time;
- malware on a bank’s network that is an imminent threat to
core business lines or operations;
- a ransom malware attack that encrypts a core banking system or
Once a bank determines that a notification incident has
occurred, it must alert its primary federal regulator promptly and
no later than thirty-six hours after the determination was
Bank Service Providers Must Notify Banks
The second prong of the rule requires bank service providers to
notify banks affected by a disruption as soon as possible. A bank
service provider is a “bank service company” or a person
that performs services subject to the Bank Service Company Act,
except for financial market utilities.
Once a service provider has determined that a
“computer-security incident” is likely to materially
disrupt or degrade covered services for four or more hours, it must
notify affected banks as soon as possible. This requirement is
independent of any existing contractual provisions. The rule does
not apply to scheduled maintenance or tests. Bank service providers
do not have to determine whether the incident is a
After receiving a notification from the provider, a bank must
determine whether the incident is a “notification
incident.” If it is, the bank has thirty-six hours to notify
the regulator from once it has made that determination. The
agencies have stated they will not penalize a bank because the
service provider fails to comply with the notification
The rule is effective April 1, 2022; entities must be compliant
by May 1, 2022.
Banks will want to revise their internal policies to ensure they
are promptly identifying and assessing cyber incidents.
Additionally, banks and bank service providers will want to assess
whether any existing notification processes are designed to ensure
that the banks are receiving timely notice.
All banking entities subject to the jurisdiction of the Board,
FDIC, or the OCC should promptly review the rule to ensure they are
compliant by May 1.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.