New Rule States Banking Organizations Must Report Cyber Threats within 36 Hours

The Federal Deposit Insurance Corporation (FDIC) has issued a final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers.

Under the new rule, banking organizations must report computer-security incidents to the FDIC as soon as possible, but no later than 36 hours after the incident.

The rule defines a computer-security incident as an occurrence that results in harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

A notification incident is defined as a computer-security incident that has disrupted or is likely to disrupt a banking organization’s ability to carry out operations, activities, or processes, or deliver banking products and services to its customer base.

The incident could also lead to a failure in the services, functions, and support that would result in a loss of revenue, profit, or franchise value. In addition, the FDIC expects banking institutions to report incidents that could pose a threat to the financial stability of the United States.

The rule requires a bank service provider to notify at least one bank-designated point-of-contact at each affected customer banking organization as soon as possible when the bank service provider determines that it has experienced a computer-security incident that meets the criteria listed above.

Help is available

The business attorneys at O’Reilly Rancilio are available to answer your questions regarding the new FDIC requirements. For more information, please call 586-726-1000 or visit our website.