Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

Federal Bank Regulators Expand Duty to Notify after a Cybersecurity Event

By James M. Kane, James W. Morrissey, Daniel C. McKay, II, Jennifer Durham King, Juan M. Arciniegas, Mark C. Svalina & Mary Donohue on December 17, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

On November 18, 2021, the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the Board of Governors of the Federal Reserve System (FRB) (each, an “Agency” and, collectively, the “Agencies”) finalized a uniform regulation, codified at 12 C.F.R. Part 53, 12 C.F.R. Part 225.300 and 12 C.F.R. Part 304, with the stated purpose of improving the sharing of information about cybersecurity incidents harmful to the U.S. banking system (the “Regulation”). Pursuant to the Regulation, banks will be required to notify their primary federal regulatory Agency within thirty-six (36) hours of “any significant computer-security incident.”

What is the purpose of the Regulation?

The Regulation fills an existing gap among federal regulations, including current requirements existing under the Bank Secrecy Act and other anti-money laundering regulations, the Gramm-Leach Bliley Act and the Bank Service Company Act, which presently do not impose direct cybersecurity incident reporting requirements for banking organizations.

When is the Regulation effective?

While the Regulation has an effective date of April 1, 2022, compliance is required by May 1, 2022.

Who is impacted?

The Regulation is applicable to bank holding companies, savings and loan holding companies, national banking associations, state-chartered banks, federal and state savings associations/thrifts and federal and state branches of foreign banks, and to their service providers (collectively hereinafter, a “bank” or “banks”).

What needs to be reported?

Banks will need to consider, on a case-by-case basis, whether any significant computer-security incidents constitute notification incidents for the purposes of reporting. Below is a non-exhaustive list of incidents that generally need to be reported:

  1. large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time;
  2. a bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
  3.  a failed system upgrade or change that results in widespread user outages for customers and banking organization employees;
  4. an unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan;
  5. a computer hacking incident that disables banking operations for an extended period of time;
  6. malware on a bank’s network that poses an imminent threat to the bank’s core business lines or critical operations or that requires the bank to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from Internet-based network connections; and
  7. a ransom malware attack that encrypts a core banking system or backup data.
When must a bank report a covered event?

Pursuant to the Regulation, banks will be required to notify their primary federal regulatory Agency of “any significant computer-security incident” within thirty-six (36) hours after the bank has determined a notification incident has occurred. The Regulation, however, does not address directly when a bank is deemed to have “determined” that a notification incident has occurred. The Agencies have noted that the incident does not need to be immediately discovered, but they anticipate that discovery of an incident will be made within a reasonable amount of time. The Agencies have noted that some incidents may occur outside of normal business hours, and only once the banking organization has made such a determination would the timeframe begin. The Agencies encourage same-day notification to their primary federal regulator.

As is current practice, the notification must be made to the appropriate supervisory office or point of contact at the applicable Agency, and the Regulation does not specify content or format requirements for the notice. Notifications are to be made to the Agency point of contact by telephone or email.

What should banks being doing now to prepare for the Regulation?

In the interim, banks should review internal policies and procedures to ensure a reporting procedure is in place to comply with the May 1, 2022 compliance deadline.

We note that state-chartered banks should keep in mind that certain states, such as New York, have implemented similar reporting requirements. State-level reporting obligations may differ from the Regulation and other federal reporting requirements.

Existing Regulatory Requirements

The new Regulation fills a gap that is not covered by guidance on information security (the “Security Guidelines”). Specifically, the existing interagency Security Guidelines require notice to the appropriate regulator only if certain customer information was compromised and if a bank determined there was a likelihood the information would be misused. The Security Guidelines, codified at 12 C.F.R. Part 30, Appendix B, 12 C.F.R. Part 208, Appendix D-2 and 12 C.F.R. Part 364, Appendix B, remain in effect and direct every financial institution to assess the following risks, among others, when developing its information security program:

  • reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;
  • the likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and
  • the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines, and adopt those that are appropriate for the institution, including the following:

  • access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals;
  • background checks for employees with responsibilities for access to customer information; and
  • response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.

The Security Guidelines impose requirements for a response program, including (i) an assessment of the nature and scope of an incident and types of customer information that have been accessed or misused, (ii) notifying the primary federal regulatory Agency as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information and (iii) notifying appropriate law enforcement authorities, in addition to timely filing a Suspicious Activity Report in situations involving federal criminal violations requiring immediate attention.

The Regulation established as of November of this year targets general security breaches and cyberattacks, and is not limited to incidents involving a compromise of customer information and the likely misuse of such information addressed in the Security Guidelines. As a result, the Regulation is intended to work with already existing regulatory obligations to ensure that banks are properly addressing cybersecurity threats.

To view the full text of the Regulation, click here.

Photo of James M. Kane James M. Kane
Read more about James M. KaneEmail
Photo of James W. Morrissey James W. Morrissey
Read more about James W. MorrisseyEmail
Photo of Daniel C. McKay, II Daniel C. McKay, II
Read more about Daniel C. McKay, IIEmail
Photo of Jennifer Durham King Jennifer Durham King
Read more about Jennifer Durham KingEmail
Photo of Juan M. Arciniegas Juan M. Arciniegas

Mr. Arciniegas works primarily as a derivatives lawyer and covers markets for over-the-counter (OTC) derivatives, structured finance products and listed futures. He advises on every stage throughout the life cycle of a derivatives transaction, providing assistance to a wide range of market participants…

Mr. Arciniegas works primarily as a derivatives lawyer and covers markets for over-the-counter (OTC) derivatives, structured finance products and listed futures. He advises on every stage throughout the life cycle of a derivatives transaction, providing assistance to a wide range of market participants engaged in the markets in various capacities. Regulatory matters range from assisting clients on financial reform legislation, registration and membership with the CFTC, NFA, and other financial market utilities, to providing guidance to commercial end-users and sell-side participants on exemptions, cross-border access issues, and matters involving the overlapping jurisdiction of securities and commodities regulation. Transactional matters include the negotiation and implementation of comprehensive documentation for agency-MBS, cleared and OTC derivatives, FX, futures, loan-level hedging arrangements, prime brokerage, repurchase transactions, securities lending, structured finance transactions, and related industry protocols implementing changes in those markets. Mr. Arciniegas has appeared before the CFTC, the Federal Reserve, the SEC, and is a frequent speaker and published author on futures and derivatives topics.

Read more about Juan M. ArciniegasEmail
Show more Show less
Photo of Mark C. Svalina Mark C. Svalina
Read more about Mark C. SvalinaEmail
Photo of Mary Donohue Mary Donohue
Read more about Mary DonohueEmail
  • Posted in:
    Financial
  • Blog:
    The 21st Century Banker
  • Organization:
    Vedder Price PC
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Beyond the First 100 Days
  • In the Legal Interest
  • Cooking with SALT
  • The Fiduciary Litigator
  • CCN Mexico Report™
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo