FDIC Issues Final Computer-Security Incident Notification Requirements for Banking Organizations

The Federal Deposit Insurance Corporation (FDIC) issued a Final Rule (the rule) establishing computer-security incident notification requirements for all FDIC-supervised institutions.

The Final Rule was a joint effort between the FDIC, the Board of Governors of the Federal Reserve System and the Office of the Comptroller of the Currency (OCC) and aims to provide agencies with early awareness of threats to both banks and the financial system.

According to the FDIC press release, FDIC-supervised banking organizations will be required to notify the FDIC no later than 36 hours after the banking organization determines that a computer-security incident that rises to the level of a notification incident has occurred. The press release also provides key definitions and instructions outlined below for FDIC-supervised institutions.

What Is a Computer-Security Incident Under the FDIC Rule?

The rule defines a computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system or to the information that the system processes, stores or transmits.

What Is a Notification Incident Under the FDIC Rule?

A notification incident is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s (i) ability to carry out banking operations, activities or processes, or to deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions and support, that upon failure, would result in a material loss of revenue, profit or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. For example, a notification incident may include a major computer-system failure, a cyber-related interruption—such as a distributed denial of service or ransomware attack, or another type of significant operational interruption.

How Do Bank Providers Notify the FDIC?

The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer banking organization as soon as the bank service provider determines a computer-security incident has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the banking organization for four or more hours. If the banking organization has not previously provided a designated point of contact, the notification must be made to the banking organization’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.

The final rule takes effect on April 1, 2022, with full compliance extended to May 1, 2022. The FDIC will provide supervised institutions logistics for FDIC notification in early 2022.

Related Links

• FDIC Press Release
• FDIC Final Rule PDF

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.