(Published in the Summer 2022 issue of The Bankers’ Statement)
As cybersecurity concerns and threats continue to rise exponentially for banks of all sizes and types, the regulatory landscape is changing just as quickly. Within the last year alone, the federal banking agencies, the Securities and Exchange Commission (SEC), and Congress have all undertaken various rulemaking initiatives surrounding this topic, as described in greater detail below. Banks should closely monitor these initiatives as they unfold to better understand how each may affect their ongoing cybersecurity incident notification obligations.
Federal Banking Agencies
On November 23, 2021 the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (FRB), and the Federal Deposit Insurance Corporation (FDIC) published a final rule establishing computer-security incident notification requirements.1 The rule applies equally to all banks and bank holding companies, including national banks, federal savings associations, state-chartered banks, bank holding companies, and savings and loan holding companies. Also, it’s important to note that unlike some of the proposed rules…
