IT Security Incident Reporting Requirement Comes into Force April 1, 2022 | Thompson Coburn LLP
The Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (“prudential banking regulators”) have issued a final rule regarding the reporting requirement for computer security incidents.
The final rule requires a “banking organization” to notify its lead federal regulator of a “computer security incident” that corresponds to the level of a “notification incident”. Notification should be delivered to the primary federal regulator as soon as possible, and no later than 36 hours after determining that a notification incident has occurred. The final rule also contains a requirement that a “banking service provider”, defined as a “banking service company or other person who performs [services covered under the Bank Service Company Act], “inform a banking organization” as soon as possible when the banking service provider determines that it has suffered an IT security incident which has materially disrupted or degraded, or is reasonably likely to significantly disrupt or degrade, the covered services provided to that banking organization for four hours or more.
The rule defines a “computer security incident” as “an event that causes real damage to the confidentiality, integrity or availability of an information system or information that the system processes, stores or transmits” . 12 CFR §§ 53.2 (4), 225.301 (4), 304.22 (4). A “notification incident is an IT security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or materially degrade, the functioning of a banking organization—
(i) Ability to carry out banking operations, activities or processes, or to provide banking products and services to a significant portion of its customers, in the normal course of business;
(ii) the line of business (s), including related operations, services, functions and support, which, if failed, would result in a significant loss of income, profit or value franchise; Where
(iii) Operations, including related services, functions and supports, if any, the failure or interruption of which would constitute a threat to the financial stability of the United States. ”12 CFR §§ 53.2 (7), 225.301 (7), 304.22 (7).
The new incident reporting requirements are distinct from the existing breach reporting requirements issued in 2005 under the safeguard authority granted to prudential banking regulators by the Gramm-Leach-Bliley Act. The rule is effective April 1, 2022, and the compliance date is May 1, 2022.