ICBA comments on computer security incident notification requirement

ICBA submitted a comment letter in response to a notice of proposed rulemaking requiring banks to notify their primary federal regulator within 36 hours of a computer-security incident.

The proposal would also require a bank service provider to notify at least two individuals at an affected bank immediately after experiencing a computer-security incident that could disrupt, degrade, or impair services for four or more hours.

ICBA Position: Community banks are already required to report incidents where customer data is accessed or there is an impact to systems that hold customer data under the Gramm-Leach-Bliley Act. ICBA opposes the proposed incident notification rule because it is duplicative, and will be burdensome and difficult to implement.

Recommendations: In the event that the proposal is finalized, ICBA made a number of recommendations including, requesting a safe harbor for banks who may have erred in their initial incident evaluation, and developing procedures for how the agencies will address an “incident notification” and detail how the process will improve a bank’s incident response capability. Read the comment letter.