This article was originally written by our North America colleagues for a U.S. audience. We have shared this article for information purposes only as it may be of interest to our global clients. Please speak to your local office contact to further discuss any of the points raised in this article.
On November 18, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency issued a joint Final Rule to establish computer-security incident notification requirements for all FDIC-supervised institutions and their bank service providers. This rule takes effect on April 1, 2022, with full compliance required by May 1, 2022. It is estimated to impact approximately 5,000 depository institutions.
FDIC Chairman Jelena McWilliams noted that the rule “addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations.”
Key highlights:
Examples of notification incidents under the new rule include a major computer-system failure; a cyber-related interruption, such as a ransomware attack or other malware attack, a distributed denial of service attack; or another type of significant operational interruption, which does not trigger state data breach notification laws unless there was unauthorized access or unauthorized acquisition of personal consumer information.
An additional part of the rule requires bank service providers to notify their banking clients in the event it has experienced a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade covered services provided to such banking organizations. Unlike the quick 36 hour notification timeframe for banking organizations, bank service providers are required to notify the affected banking organization “as soon as possible”. Covered services are those performed by a person subject to the Bank Service Company Act. The rule allows bank service providers some flexibility to make the determination, requiring notification “as soon as possible,” rather than the proposed “immediately”.
Notice must be given to the banking organization’s designated point of contact, if previously provided, or to the bank’s chief executive officer and chief information officer or two individuals of comparable responsibilities.
Willis Towers Watson recommends that all risk managers read the Final Rule in detail, as it provides additional commentary on the intent and thought process of the regulators in finalizing the rule. Willis Towers Watson considers the following items of note for consideration for impacted organizations:
Though much of the ambiguity and challenges presented in the Notice of Proposed Rulemaking were addressed with the Final Rule, the impact to affected organizations does have potential to be material, in particular the 36-hour reporting window. Time will tell if the rule is effective in achieving its objective to promote early awareness of emerging threats to banking organizations and the broader financial system.