Banking organizations and their service providers are now subject to a tight 36-hour breach notification timeframe—the shortest timeline of any U.S. data breach notification law. Starting earlier this month, on May 1, covered banks and providers were required to be in full compliance with a new cyber incident notification rule (“Banking Rule”), issued by the Federal Reserve, the Federal Deposit Insurance Corporation (“FDIC”), and the Treasury Department’s Office of the Comptroller of the Currency (“OCC”) (“the Agencies”), mandating disclosure of triggering cybersecurity incidents (“notification incidents”) within 36 hours after an organization determines such an incident has occurred.
As we observed in a previous post, the Banking Rule, which became effective on April 1, comes at a time when cyberattacks are on the rise and when regulators have, in response to increasing cyber intrusions, enacted or proposed a series of stringent incident reporting requirements. In December 2021, the Federal Trade Commission (“FTC”) proposed an amendment to the recently updated Safeguards Rule that, if adopted, would require covered financial institutions to report to the FTC any security event involving the misuse of customer information of at least 1,000 consumers. Shortly thereafter, in February, the Securities and Exchange Commission (“SEC”) proposed extensive new rules for registered investment advisers and registered investment companies (“funds”) that would, among other things, require advisers to report “significant adviser cybersecurity incidents” and “significant fund cybersecurity incidents” to the SEC within 48 hours of concluding an incident occurred. A month later, the SEC followed up with proposed updates its public-company cybersecurity disclosure rules, which, if adopted, would compel issuers to file an amended Form 8-K within four business days after a triggering material cybersecurity incident took place.
Notably, the final Banking Rule, as well as the flurry of recently proposed cyber reporting regulations, surfaced against the backdrop of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which President Biden signed into law in March, that requires owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Critical Infrastructure Agency (CISA) within 72 hours. CIRCIA’s 72-hour timeframe is in line with the breach reporting timeline of the EU’s Global Data Protection Regulation (“GDPR”) and the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation, which applies to certain insurance and other financial services companies licensed in New York.