On 11/18/21, the joint agencies issued a final rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system. According to the FDIC’s press release, the final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred. Notification will be required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.

In addition, the FDIC’s release explains that the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.

Compliance with the final rule is required by May 1, 2022.

The Interagency Statement can be found here.

Adam Witmer

Adam Witmer is a speaker, author, and founder of the Compliance Cohort. Adam has taught hundreds of seminars and training sessions to thousands of bankers throughout the United States and teaches on all areas of regulatory compliance. Adam has written five e-books that he never published, hit a grizzly bear while driving in a National Park, and is an award winning photographer and musician (though he no longer takes photos nor plays any instruments). In his spare time, Adam can be found kayaking on the lake, doing taekwondo with his kids, working on his (project) house, or spending time with his family.

Website

Become a Free Member