The Federal Deposit Insurance Corporation (FDIC) issued a Final Rule (the rule) establishing computer-security incident notification requirements for all FDIC-supervised institutions.
The Final Rule was a joint effort between the FDIC, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (OCC) and aims to provide agencies with early awareness of threats to both banks and the financial system.
According to the FDIC press release, FDIC-supervised banking organizations will be required to notify the FDIC no later than 36 hours after the banking organization determines that a computer-security incident that rises to the level of a notification incident has occurred. The press release also provides key definitions and instructions outlined below for FDIC-supervised institutions.
What Is a Computer-Security Incident Under the FDIC Rule?
The rule defines a computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system or to the information that the system processes, stores or transmits.
What Is a Notification Incident Under the FDIC Rule?
A notification incident is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s (i) ability to carry out banking operations, activities or processes, or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions and support, that upon failure, would result in a material loss of revenue, profit or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. For example, a notification incident may include a major computer-system failure, a cyber-related interruption—such as a distributed denial of service or ransomware attack, or another type of significant operational interruption.
How Do Bank Providers Notify the FDIC?
The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as the bank service provider determines a computer-security incident has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the banking organization for four or more hours. If the banking organization has not previously provided a designated point of contact, the notification must be made to the banking organization’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.
The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. The FDIC will provide supervised institutions logistics for FDIC notification in early 2022.
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.