The US Office of the Comptroller of the Currency, the Federal Reserve Board, and the Federal Deposit Insurance Corporation Friday proposed a new computer-security incident notification requirement for banking organizations and their bank service providers.
The proposed rule would require a banking organization to provide its primary federal regulator a prompt notification of any “computer-security incident” no later than 36 hours after it believes the incident occurred. A computer-security incident has been defined as:
An occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
The rule has been proposed keeping in mind the increased frequency and severity of cyberattacks reported to federal law enforcement in recent years. The intent of the proposed rule is not to provide an assessment of a cyber incident, but to provide primary federal regulators timely notice of significant cyber disruptions.
Bank service providers would be required to notify banking organizations immediately after they experience a security incident that could potentially “disrupt, degrade, or impair services provided for four or more hours.”
The agencies also noted that the existing reporting standards, including filing Suspicious Activity Reports under the Bank Secrecy Act, do not require reporting of every incident and serve a different purpose from the proposed notification requirement.
Comments on the proposal must be received within 90 days of its publication in the Federal Register.
It’s an important month for nonprofits like JURIST that rely on donor support. Your gift of $50, $100, $200, or $500 will help JURIST to keep its legal news and commentary free and accessible to a worldwide public.