Banking Computer-Security Incident Notification Requirements Take Effect – Finance and Banking

Marion Steward

Financial institutions and their service providers should
prepare to meet new computer-security notice requirements by May 1,


Financial institutions and their service providers should
prepare to meet new computer-security notice requirements by May 1,

Expand and


On April 1, 2022, new computer-security incident
notification requirements
 for banks and their service
providers take effect in the United States. The new requirements
expand and clarify existing notification obligation of financial
institutions, which are primarily focused on consumer protection
and suspicious activity reporting. Additionally, the new
requirements obligate service providers to notify their financial
institution customers in the event of the occurrence of certain
computer security incidents. Financial institutions and service providers should revise their
incident response and business continuity procedures to ensure that
they will meet these new requirements when compliance is required
on May 1, 2022.


Historically, the federal banking regulators required financial
institutions to file two types of reports for certain cybersecurity incidents. First, under the
safeguarding authority of the Gramm-Leach-Bliley Act, certain
financial institutions have been required to notify their federal
regulator of incidents (including cybersecurity incidents)
involving unauthorized access to sensitive consumer information.
Second, under the reporting requirements of the Bank Secrecy Act,
certain financial institutions are required to report incidents involving suspicious

Separately, states have moved in recent years to impose broader
cybersecurity incident reporting requirements on state-regulated
financial institutions. For example, the New York Department of
Financial Services requires institutions that it regulates to
report certain cybersecurity events to the agency within 72 hours.
Similar requirements have been imposed by some state insurance
regulators as part of their adoption of the NAIC Insurance Data
Security Model Law. These state laws are in addition to the
consumer breach notification laws adopted by all 50 states and the
District of Columbia, which may require notification to a state
agency as well as the consumers

How and When


The notification requirements impose obligations on financial
institutions and their service providers. For these purposes, a
financial institution includes a national or state bank, a savings
association, an Edge or agreement corporation, a U.S. branch or
agency of a foreign bank, and a bank or savings and loan holding
company. The federal banking regulators confirmed in the preamble
to the new requirements that nonbank subsidiaries of financial
institutions generally are not required to provide notice, unless
they otherwise fall with the definition. A covered financial
institution does not include credit unions.

Financial institutions and computer-security incident

Financial institutions are required to notify their appropriate federal
 of a “notification incident” as soon
as possible and no later than 36 hours after the institution
determines that a reportable event occurred. This is shorter than
the reporting deadline established by other regulators, such as the
New York Department of Financial Services.

The notification may be provided in written or oral form
(including email or telephone) and may be made to the
institution’s designated point-of-contact at the federal
regulator. The notification should convey whatever general
information is known to the institution regarding the incident but
does not need to be made using a specific form or format.

When a computer-security incident notification is required

A “notification incident” is a computer security
incident that has materially disrupted or degraded:

1. The ability of the institution to carry out banking
operations, activities or processes or deliver banking products and
services to a material portion of its customer base, in the
ordinary course of business;

2. Any business line of an institution, including associated
operations, services, functions and support, and the incident would
result in a material loss of revenue, profit or franchise value;

3. Those operations of an institution, including associated
services, functions and support, as applicable, the failure or
discontinuance of which would pose a threat to the financial
stability of the United States.

While the definition is broad, there are materiality qualifiers
that could limit its applicability to a small subset of incidents.
A “computer security incident” is further defined as
“an occurrence that results in actual harm to the
confidentiality, integrity, or availability of an information
system or the information that the system processes, stores, or
transmits.” This is narrower than the definition in the
proposal, which would have included potential occurrences and
occurrences that constituted a violation or imminent threat of
violation of security policies, security procedures, or acceptable
use policies.

However, the federal regulators have emphasized that the
definition of a computer security incident remains broad and can
include non-malicious occurrences, such as the failure of hardware
and software and personnel errors.

Service providers and computer-security incident

A service provider is any person or entity who performs services
for a financial institution that are subject to the Bank Service
Company Act. This can include an affiliate or another financial
institution that provides covered services. While the new
requirements do not further define the services that are subject to
that law, the federal regulators arguably have abandoned their
expansive position that covered services could include components
that underlay other covered services.

The new requirements explicitly obligate a service provider to
notify each affected financial institution customer as soon as
possible after the service provider determines that it has
experienced a computer security incident that has materially
disrupted or degraded, or is reasonably likely to materially
disrupt or degrade, covered services provided to a financial
institution for four or more hours. A service provider may comply
with its duty by notifying a contact designated by the financial
institution or, if no such contact has been designated, notifying
the financial institution’s chief executive officer and chief
information officer (or two individuals of comparable
responsibilities). To ensure that notices are directed to the
correct persons for immediate action, financial institutions should
consider establishing a monitored email address and including this
email address in their contracts with service providers.

While many existing service provider contracts already include
incident-reporting provisions, these new requirements apply to
service providers regardless of the content of a contract with the
financial institution. Further, the new requirements do not
abrogate contracts that contain more stringent incident-reporting

Be Prepared


The new requirements become effective on April 1, 2022, but
compliance is not required until May 1, 2022. Financial
institutions and their service providers should use the remaining
month to review their incident response policies and playbooks to
ensure that they address the new requirements discussed above.
While it is likely that they already have procedures for
identifying and reporting a wide range of incidents, the relevant
thresholds, timing, and report formats vary across regulators and
jurisdictions. Accordingly, financial institutions and service
providers may need to add provisions addressing these new
requirements. Furthermore, financial institutions may want to
establish a monitored email address for notice and include it in
contracts to ensure timely receipt of these notices from service

Additionally, service providers should consider how they will go
about notifying financial institution customers. For some service
providers, it may be more efficient to agree to a designated point
of contact in advance to avoid the scramble of finding contact
information for a customer’s chief executive officer and chief
information officer during an incident. Approaches will vary across
service providers, particularly those with larger and more complex
business operations, but should be thought through now.

Originally published by Abrigo

Visit us at

Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
“Mayer Brown Practices”). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited
liability partnerships established in Illinois USA; Mayer Brown
International LLP, a limited liability partnership incorporated in
England and Wales (authorized and regulated by the Solicitors
Regulation Authority and registered in England and Wales number OC
303359); Mayer Brown, a SELAS established in France; Mayer Brown
JSM, a Hong Kong partnership and its associated entities in Asia;
and Tauil & Chequer Advogados, a Brazilian law partnership with
which Mayer Brown is associated. “Mayer Brown” and the
Mayer Brown logo are the trademarks of the Mayer Brown Practices in
their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights

Mayer Brown article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.

Next Post

Diverse Styles of Fundraising by a Startup

India has witnessed massive potential and growth in the startup ecosystem. The robust startup ecosystem in India is already the third largest and is likely to have a potential growth in its valuation to almost $1 Trillion by the year 2025. The startup ecosystem in India is thriving with unicorns […]
Diverse Styles of Fundraising by a Startup