Federal Banking Agencies Issue Final Rule Regarding Cyber Incident Notification Requirements: Final Rule Requires Banking Organizations to Notify Primary Federal Regulator of Certain Cyber Incidents Within 36 Hours, and Bank Service Providers to Notify Banking Organization Customers as Soon as Possible

Sullivan & Cromwell LLP - November 22, 2021
Read More

On November 18, 2021, federal bank regulators issued a final rule mandating the reporting of certain significant cybersecurity incidents. The final rule requires a banking organization to notify its primary banking regulator within 36 hours of any “computer-security incident” which has or is reasonably likely to disrupt or degrade (i) its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base; (ii) business lines, including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Under the final rule, bank service providers are required to notify at least one designated point of contact at affected banking organization customers as soon as possible after any computer-security incident which has or is reasonably likely to materially disrupt or degrade covered services for four or more hours.

Subscribe to our Memos