As the federal government continues its whole-of-government response to cyber incidents, federal banking regulators took action to impose a new notice requirement on federally regulated banks. In November, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve Board of Governors (“Board”) jointly issued a final rule that requires a federally regulated bank to notify its primary federal regulator within 36 hours after determining that a computer-security “notification incident” has occurred. We provide below a summary of the new notice requirement, which will apply to banking organizations and service providers starting in April 2022.
When does this final rule take effect?
The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. Regulators should provide supervised institutions logistics for notification in early 2022.
Which organizations have to comply with this rule?
The rule applies to “banking organizations” and their “service providers,” and requires banking organizations to provide notification “as