Reed Smith Client Alerts

A proposed federal rule, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers,” would impose notification requirements on banking organizations and their service providers when cybersecurity incidents (as defined in the proposed rule) occur.

The rule was issued Jan. 12, 2021, by the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC). The rule’s comment period concluded April 12.

The issuing agencies argue that the adoption of this proposed rule would support their missions by, among other things, requiring that agencies have earlier notice of emerging threats to individual banking organizations and the broader financial system. This notice may help limit losses in the event of significant data security incidents.

The proposed rule is largely seen to be in response to the recent security event at SolarWinds. In early 2020, SolarWinds was the subject of a major cybersecurity attack by foreign hackers. This attack left 18,000 customers vulnerable to hackers, as well as private companies and, significantly, multiple U.S. government agencies.

This proposed rule would establish two primary requirements: first, it would require a "banking organization" (as defined below) to notify its primary federal regulator of a "notification incident" no later than 36 hours after reasonably determining that a triggering event had occurred; second, it would require a "Bank Service Provider" to notify a banking organization immediately upon detecting the occurrence of an incident that materially impacts the service provider. Current public comments to the rule largely focus on the accelerated reporting timeline that the rule would require.

Who is covered

The proposed rule generally would apply to two types of entities: banking organizations and bank service providers.

It defines "banking organizations" as: 1) for the OCC, national banks, federal savings associations, and federal branches and agencies; 2) For the Federal Reserve Board, all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; Edge and agreement corporations; and; 3) for the FDIC, all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

It separately defines "bank service providers" as bank service companies or other persons “providing services to a banking organization that are subject to the Bank Service Company Act (BSCA)."