Computer Security Incidents Notification

On November 18, 2021, the FDIC, OCC, and Federal Reserve approved a final rule requiring institutions to notify their primary federal regulator of any significant computer-security incidents (notification incident) as soon as possible, and no later than 36 hours, after the institution determines that a cyber incident has occurred.

Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

    • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
    • Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
    • Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Notification is required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector.

In addition, the final rule requires bank service providers to notify affected customer banks as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect customers for four or more hours.

The Computer Security Incidents Notification Rule is effective April 1, 2022, with compliance required by May 1, 2022.

 

Please be advised that CSG provides financial services compliance audit and consulting services to our clients.  The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers.  Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services.  Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest.  Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.

Leave a Reply

Your email address will not be published. Required fields are marked *