MONTH-IN-BRIEF (Nov 2021)
Federal Agencies Issue Final Rule on Computer-Security Incident Notification Requirements for Banking Organizations
By Christopher Greenidge, McGlinchey Stafford, PLLC
On November 18, 2021, the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) announced the adoption of a final rule that requires a banking organization to notify its primary federal regulator of a significant computer-security incident within 36 hours after the organization determines that the incident has occurred.
The rule would also require a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.