Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

New Incident Notification Requirements Proposed by Federal Regulators for US Financial Institutions and Their Service Providers

By Jeffrey P. Taft, Marcus A. Christian, David A. Simon & Matthew Bisanz on December 23, 2020
Email this postTweet this postLike this postShare this post on LinkedIn

In December 2020, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) proposed new cyber incident notification requirements for institutions that they regulate and their service providers (the “Proposal”).1 If adopted, the Proposal would expand and clarify existing notification requirements for financial institutions, which are primarily focused on consumer protection and suspicious activity reporting. Additionally, the Proposal would require service providers to notify their financial institution if certain computer security incidents occur. While the Bank Service Company Act (“BSCA”) generally subjects service providers to supervision and examination by the Federal Regulators as if the services were performed by the financial institution, this authority has not been recently used to directly regulate the conduct of a service provider.2

Comments on the Proposal are due within 90 days of publication in the Federal Register, which is expected to occur later this month or early in 2021. This Legal Update provides some background information related to incident notification requirements and the BSCA and describes the new notification requirements set forth in the Proposal.

Continue reading.

Photo of Jeffrey P. Taft Jeffrey P. Taft

Jeffrey Taft is a partner in the Firm’s Financial Services Regulatory & Enforcement group and the Cybersecurity and Data Privacy practice. His practice focuses primarily on bank regulation, bank receivership and insolvency issues, payment systems, consumer financial services and cybersecurity/privacy issues. He has…

Jeffrey Taft is a partner in the Firm’s Financial Services Regulatory & Enforcement group and the Cybersecurity and Data Privacy practice. His practice focuses primarily on bank regulation, bank receivership and insolvency issues, payment systems, consumer financial services and cybersecurity/privacy issues. He has extensive experience counseling financial institutions, merchants, technology companies and other entities on various federal and state banking and consumer credit issues, including compliance with the Bank Holding Company Act, National Bank Act, International Banking Act, Consumer Financial Protection Act, Truth-in-Lending Act, the Fair Credit Reporting Act, the Electronic Fund Transfer Act, the Equal Credit Opportunity Act, the Fair Debt Collection Practices Act, the Real Estate Settlement Procedures Act, state unfair or deceptive acts or practices statutes, CFPB’s UDAAP authority and the development and implementation of privacy, cybersecurity and information security programs under the Gramm-Leach Bliley Act, the NYDFS cybersecurity regulation and industry standards, such as PCI DSS and NIST.

Read Jeff’s full bio.

Read more about Jeffrey P. TaftEmail
Show more Show less
Photo of Marcus A. Christian Marcus A. Christian

Marcus Christian is a co-leader of the Washington DC Litigation & Dispute Resolution practice and a partner in Mayer Brown’s Cybersecurity & Data Privacy practice and White Collar Defense & Compliance group. Since joining Mayer Brown in 2013, Marcus has represented clients in…

Marcus Christian is a co-leader of the Washington DC Litigation & Dispute Resolution practice and a partner in Mayer Brown’s Cybersecurity & Data Privacy practice and White Collar Defense & Compliance group. Since joining Mayer Brown in 2013, Marcus has represented clients in matters involving data security planning, board governance of cybersecurity, cyber fraud, data breach response, and congressional investigations, among others.

Marcus is a recognized leader in cybersecurity. He has been named to Cybersecurity Docket’s “Incident Response 30,” recognizing 30 of the “best and brightest data breach response lawyers in the business” three times. The publication also noted that those recognized “have established themselves as the ‘first call’ for companies hit with a cyber attack or other data security incident.” Marcus was also named to the Washingtonian’s Top Lawyer list in 2018 and 2019.

Read Marcus’s full bio

Read more about Marcus A. ChristianEmailMarcus's Linkedin Profile
Show more Show less
Photo of David A. Simon David A. Simon

David Simon is a partner in Mayer Brown’s Washington DC office and a leading member of the global Cybersecurity & Data Privacy practice. He is also a member of the firm’s National Security and Government Contracts practices. A former special counsel at the…

David Simon is a partner in Mayer Brown’s Washington DC office and a leading member of the global Cybersecurity & Data Privacy practice. He is also a member of the firm’s National Security and Government Contracts practices. A former special counsel at the US Department of Defense (DoD) and chief cyber counsel to the US Cyberspace Solarium Commission, David has deep experience advising victims of ransomware attacks and state-sponsored cyber activity. Named as a Cybersecurity Trailblazer by The National Law Journal, David has also been named to Cybersecurity Docket’s “Incident Response 40,” a collection of 40 of the “best and brightest” incident response attorneys in the country. David regularly supports clients as the lead investigator and crisis manager for cross-border cyber incidents, including data breaches involving personal data, nation-state threats targeting intellectual property, state-sponsored theft of sensitive U.S. government information, and destructive attacks. David has directed and advised on dozens of complex cyber incident and data breach investigations in the last few years alone. He has counseled companies on major cyber incidents and incident preparedness across virtually every sector of the economy. David represents financial institutions, automotive manufacturers and self-driving car companies, tech companies, telecommunications companies, healthcare companies, insurance companies, defense and aerospace companies, private equity firms and their portfolio companies.

Read David’s full bio.

Read more about David A. SimonEmailDavid's Linkedin Profile
Show more Show less
  • Posted in:
    Banking, Finance and Securities
  • Blog:
    Inside Cybersecurity & Privacy Law
  • Organization:
    Mayer Brown

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo