by Luke Dembosky, Avi Gesser, Satish Kini, Gregory Lyons, Johanna Skrzypczyk, Christopher Ford, Alex Mogul, and Erik Rubinstein
On November 18, 2021, federal banking regulators published a Final Rule that imposes new notification requirements on banking organizations for certain cybersecurity incidents.
Most significantly, the Final Rule requires that banking organizations notify their primary federal regulator within 36 hours after experiencing a material or potentially material cybersecurity event.
The Final Rule will go into effect on April 1, 2022, with a required compliance date of May 1, 2022.
The regulators – the Federal Deposit Insurance Corporation (“FDIC”), the Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB”) (together the “Agencies”) – first published a proposed rule about ten months ago, which we covered on the Data Blog. Much of the proposed rule was carried over into the Final Rule, but there are a few key differences, which we identify below.