Banks regulated by the Federal Deposit Insurance Corporation will have 36 hours to report a computer security incident to the FDIC, according to a joint final ruling issued Thursday.
The joint rule issued by the FDIC, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) defines a computer security incident as something that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
Banks would need to notify the FDIC if a cyber incident disrupted or degraded the bank’s operations, activities and processes.
“The final rule the FDIC has approved, along with the OCC and the Board of Governors of the Federal Reserve System, addresses a gap in timely notification to the banking agencies of the most significant computer-security incidents affecting banking organizations, allowing the FDIC and our fellow banking supervisors to be better positioned to understand and to respond to cybersecurity threats across the banking sector," said FDIC Chairman Jelena McWilliams in a statement.
Service providers are also required to notify at least one bank-designated point of contact at each affected customer banking organization “as soon as possible” when the service provider determines that their customer has experienced a computer security incident that has materially disrupted or degraded a bank for four or more hours.
The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022.