INTERAGENCY FINAL RULE ON COMPUTER-SECURITY INCIDENCE NOTIFICATION REQUIREMENTS

On November 17, 2021, the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) released a final rule that requires a banking organization to:

  • Notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
  • Notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

The final rule is effective April 1, 2022 and compliance is mandatory on May 1, 2022.