SHARE

December 31, 2021

Federal Financial Regulators Tighten Timelines for Reporting Ransomware Attacks

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all Law.com OnPractice content. Your subscription is free.
Subscribe Now

As anticipated, the Department of the Treasury's Office of the Comptroller of the Currency ("OCC"), the Board of Governors of the Federal Reserve System ("Federal Reserve"), and the Federal Deposit Insurance Corporation ("FDIC") recently approved and released the Final Rule Requiring Computer-Security Incident Notification ("Final Rule"). This Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.    

The Final Rule applies to banking organizations regulated by the OCC, the Federal Reserve, and the FDIC.  Covered banking organizations are required to provide notice to their relevant regulator in the event that a "Notification Incident" occurs.  A Notification Incident is a computer security event  that results in actual harm to the confidentiality, integrity, or availability of information or an information system, when that occurrence has—or is reasonably likely to—materially disrupt or degrade:

(1) a banking organization's ability to carry out banking operations or deliver banking products and services to a material portion of its customer base;

(2) business line(s), that upon failure would result in a material loss of revenue, profit, or franchise value; or

(3) operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The Final Rule specifically calls out ransomware and DDOS attacks as potential Notification Incident. Banking organizations that suffer a Notification Incident must provide notice to their respective regulator as soon as possible, but not later than 36 hours after the occurrence of the incident.  Despite the 36-hour notification window, covered banking organizations that offer "sector critical services" are encouraged to provide same day notification.  Finally, the required notice should be provided either by email, telephone, or any other similar methods later prescribed by regulators for providing notice.

The Final Rule also requires that bank service providers notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has—or is likely to—materially disrupt or degrade covered services for more than four hours.  Banking organizations and service providers are required to work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner. This requirement is designed to enable a banking organization to promptly respond to an incident, determine whether it must notify its primary federal regulator, and take any other measures that may be appropriate.

The Final Rule is likely to impact the operations of both banking organizations and bank service providers.  Banking entities should closely review the definitions in this Final Rule to determine whether they fall under its scope.  Moving forward, covered entities should expect to include relevant notification provisions in new and existing service contracts.  Covered entities will also want to ensure that they create internal policies and procedures for identifying when an incident requiring notification has occurred, and what steps must be taken by whom to provide notice to relevant parties in compliance with the Final Rule.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

Federal Regulation for Digital Assets Could Be Coming Soon

By Scott L. Diamond Ballard Spahr July 22 , 2022

Significant federal regulation may be coming soon for cryptocurrencies, blockchain, and non-fungible tokens (NFTs).

Closing the Gate: House Adopts ENABLERS Act Amendment to 2023 NDAA

By Peter D. Hardy Ballard Spahr July 21 , 2022

Amendment Focuses on Professional “Gatekeepers” – Lawyers, Accountants, Payment Processors, and Those Providing Corporate Formation and Trust Services

Pennsylvania Cuts Corporate Income Tax Rates, Makes Other Significant Tax Changes

By Wendi L. Kotzen Ballard Spahr July 19 , 2022

Pennsylvania’s budget season just ended and Act 53 of 2022 (Act 53), made many significant changes to the Commonwealth’s business and individual taxes.

More From Cybersecurity

Data transfers from a controller in the EEA, to another controller in the EEA, to a processor outside of the EEA

By David A. Zetoony Greenberg Traurig August 02 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

HISA's First Stumble: District Court Halts Enforcement of HISA in Louisiana and West Virginia

By Madeline Orlando Greenberg Traurig July 28 , 2022

On July 26, 2022, federal Judge Terry Doughty of the U.S. District Court for the Western District of Louisiana granted plaintiff states Louisiana and West Virginia’s preliminary injunction to prevent the implementation of the Horseracing Integrity and Safety Authority’s (HISA) rules.

Driving A Digital Future: Volkswagen Financial Services-J.P. Morgan Joint Venture Shapes Future Of E-Payments

By McDermott Will & Emery attorneys McDermott Will & Emery July 26 , 2022

In every aspect of our lives, including payment for products and services, consumers increasingly expect a convenient, hassle-free experience.

Featured Stories
Closeclose
Search
Menu

Working...