Agencies propose computer-security incident notification rule
On December 18, the FDIC, Federal Reserve Board, and the OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM), which would require supervised banking organizations to promptly notify their primary regulator within 36 hours of becoming aware that a “‘computer-security incident” that rises to the level of a ‘notification incident’” has occurred. Additionally, the NPRM would require bank service providers “to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.” According to the agencies, these “notification incidents” are significant computer-security incidents that have the potential to “jeopardize the viability of the operations of an individual banking organization,” and may impact the safety and soundness of stability of the banking organization, leading to a disruption in the delivery of bank products and services, among other things. The agencies stress, however, that the required notice is intended to serve as an early alert and not as an assessment of the incident. According to a statement released by FDIC Chairman Jelena McWilliams, only computer-security incidents that meet the definition of a “notification incident” must be reported—a figure which is estimated to be roughly 150 incidents a year, according to a review of supervisory data and suspicious activity reports.
Comments on the NPRM are due 90 days after publication in the Federal Register.