by Nicole Friedlander, Jared Fishman, Ethan Chess, and Jonathan Silverstone
On December 18, the Board of Governors of the Federal Reserve System (the “Board”), Office of the Comptroller of the Currency (the “OCC”) and the Federal Deposit Insurance Corporation (the “FDIC,” and together, the “Agencies”) released a notice of proposed rulemaking (the “proposal”) regarding notification requirements for banking organizations and bank service providers related to significant cybersecurity incidents.[1]
Under the proposal, a banking organization would be required to notify its primary banking regulator within 36 hours of a “computer-security incident” that it believes in good faith could materially disrupt, degrade, or impair (i) its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base; (ii) any of its business lines, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or (iii) any operations, including associated services, functions and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Additionally, bank service providers would have to notify at least two individuals at affected banking organization customers immediately of significant computer-security incidents.