New proposed rule requires banks to notify regulators within 36 hours of a cybersecurity incident
-- By Peter Marta, Tim Tobin, Jasmeet Ahuja, and Jake Nevola of Hogan Lovells.
On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule), which would create accelerated notification obligations for banking organizations and bank service providers in the event of a “‘computer-security incident’ that rises to the level of a ‘notification incident.’” Importantly, the Proposed Rule focuses on security events that disrupt financial institutions’ operations and not just security events that impact sensitive customer information, some of which would not be covered by the Proposed Rule.