U.S. Federal Agencies issue a new breach notification rule for banking organisations
As the financial services industry continues to see an increased frequency cybersecurity incidents with increased severity, three U.S. authorities – the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and the Federal Deposit Insurance Corporation (FDIC) – have issued a new rule placing certain breach notification standards on “Banking Organizations” and “Bank Service Providers”.
According to the three authorities, the notification requirements will provide regulators with better i) awareness of emerging, larger threats to financial systems, ii) assessments of the threats and risks posed by an incident as well as facilitate proper steps to mitigate the threat, iii) ability to provide banks with assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection and iv) inform future guidance and adjust supervisory programs.
According to the new rule, Banking Organizations must notify the appropriate agency within 36 hours of certain computer-security incidents. Banking Service Providers must even notify affected Banking Organizations “as soon as possible” in the event of an equivalent incident. The rule takes effect on 1 April 2022 and entities must be fully compliant by 1 May 2022. While all three agencies have different definitions for what constitutes a “Banking Organization”, the rule will apply to most banks (or similar entities) operating in the U.S. as Luas Schaetzel and Ryan Sulkin analyse in their recent contribution published at JD Supra.