Reed Smith Client Alerts

Despite the lack of near-term prospects for passage of a comprehensive Federal privacy law, the Federal government recently issued new incident response rules and guidance addressing a variety of industry sectors, including banking and financial services, telecommunications, securities, healthcare, and critical infrastructure. These developments are expected to impact not only companies operating in these regulated sectors, but also vendors and suppliers, especially technology service providers. In particular, vendors can expect new demands from regulated customers and continued pressure to operationalize the proliferation of new requirements and expectations.

Banking and financial

A joint rule issued by federal banking agencies (OCC, the Board of Governors of the Federal Reserve, and FDIC) became effective this month and prescribes new requirements and criteria for banking organizations and bank service providers (BSPs) to follow in identifying and responding to qualifying cybersecurity incidents.

The new banking rule defines a reportable computer security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. Critically, the rule does not define actual harm, although it does provide examples of qualifying incidents, such as DDoS and ransomware attacks.

For banking organizations, only the subset of computer security incidents that fall within the definition of a notification incident are required to be reported. A notification incident, in turn, is defined as a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: