Federal banking regulators approved a final rule designed to improve the sharing of information about cyber incidents that may affect the U.S. banking system.
Notification: The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after it determines a cyber incident has occurred.
Material Effect: Notification is required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.
Service Providers: The rule also requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines it has experienced an incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.
ICBA Position: In a comment letter earlier this year, ICBA expressed opposition to the rule, noting that community banks are already required to report incidents under the Gramm-Leach-Bliley Act.
Deadline: Compliance with the final rule is required by May 1, 2022.