Proposed Rule Changes Would Dramatically Increase Reporting Requirements for Banks

The Treasury Department’s OCC, Federal Reserve Board and the FDIC are proposing rule changes that would dramatically increase the reporting requirements for banks that experience a “computer security incident”.

While the time for public comment has passed and the rule changes are not final yet, here is the sum-mary of what is being proposed.

“The OCC, Board, and FDIC (together, the agencies) invite comment on a notice of proposed rule-making (proposed rule or proposal) that would require a banking organization to provide its primary federal regulator with prompt notification of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident.’’

The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.

This notification requirement is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident.

Moreover, a bank service provider would be required to notify at least two individuals at affected bank-ing organization customers immediately after the bank service provider experiences a computer securi-ty incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”

The expansiveness of the way the rule is currently written may pose a significant burden even for small community banks. To see the entire rule proposal go to:

https://www.govinfo.gov/content/pkg/FR-2021-01-12/pdf/2020-28498.pdf 

If you have any questions about IT security and how it affects your bank, call ITPAC today.