Cyber Incident Notification Requirements for Banking Organizations and Service Providers – Proposed Rule

Cyber Incident Notification Requirements for Banking Organizations and Service Providers – Proposed Rule

December 18, 2020, Covington Alert

On December 18, 2020, the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation issued a notice of proposed rulemaking requiring a banking organization to notify its primary federal regulator within 36 hours of a significant cybersecurity incident and requiring a bank service provider to notify at least two individuals at an affected banking organization customer of a significant cybersecurity incident that could disrupt services for four or more hours. The proposed rule’s notification requirement is intended to provide an early alert to the banking organization’s regulator of emerging threats to the banking organization and the broader financial system.