Banking Regulators Approve Final Rule Establishing Cyber Incident Notification Requirements

On November 18, 2021, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (Board) announced a final rule requiring banking organizations to notify their primary regulator of certain significant computer-security incidents as soon as possible and no later than 36 hours after they occur.

The rule separately requires bank service providers to notify their bank customers if they experience a cyber incident that causes, or is reasonably likely to cause, a material disruption of services that lasts for four or more hours.

Please click here to continue reading on the Cleary Cybersecurity and Privacy Watch blog.

This article was republished by The Banking Law Journal.