The federal banking agencies recently issued a final regulation that will require a bank to notify its primary federal regulator of a cyberattack, or computer-security incident, no later than 36 hours after the bank determines a “notification incident” occurred. The rule is in response to the increasing frequency and severity of cyberattacks on the banking industry.

When must notice be given?

The definitions of “computer-security incident” and “notification incident” under the regulation are important for understanding when a bank must give notice. “Computer-security incident” means an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that system processes, stores, or transmits.

“Notification incident” is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a bank’s operations and services and its ability to serve its customer base. Accordingly, a bank must give notice to its primary federal regulator when an occurrence causes actual harm that fits these criteria.

How must notice be given?

A bank may notify the appropriate supervisory office, or the designated point-of-contact, of its primary federal regulator through email, telephone, or similar methods that the regulator may prescribe.

How soon must the notice be given?

A bank must notify its primary federal regulator “as soon as possible and no later than 36 hours” after the bank determines a notification incident occurred. Thus, a bank should have procedures in place to ensure it is able to give its federal regulator notice within this short time frame after discovering a cyberattack or computer security incident. These procedures should take into account the time required to determine whether the occurrence meets the definition of a notification incident.

What about bank service providers?

The regulation requires a bank service provider to notify its bank customers as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded, or is materially likely to disrupt or degrade, services it provides to the bank.

The regulation says the bank service provider must give the notice to at least one bank-designated point-of-contact. Of course, if the incident affects the bank’s business, operations, or services in a way that constitutes a “notification incident” as described above, the bank should give notice to its primary financial regulator.

When is the regulation effective?

The regulation is effective April 1, 2022, and banks are expected to comply by May 1, 2022.

Conclusion

Under this new guidance, banks need to be prepared to give notice almost immediately upon learning of, for example, a ransomware incident. Woods Rogers recommends banks prepare now by revising policies and procedures to ensure compliance with the rule’s requirements. Banks should also work with their bank service providers to ensure the providers are prepared to comply. Any new and existing bank service provider contracts should include notification provisions in accordance with the rule. In any cyber security incident, Woods Rogers recommends working with outside counsel to craft the appropriate notification that will satisfy regulatory requirements.