Is Your Institution Prepared for the Computer-Security Incident Rule?

In CSI’s seventh annual Banking Priorities survey, bankers selected cybersecurity as the issue most likely to affect the financial industry in 2022, with employee-targeted phishing named as the top cybersecurity threat. CSI’s survey also found that 39% of bankers listed data privacy as their primary regulatory concern, which is well-founded, as the recent computer-security incident rule for reporting cyber incidents compounds their responsibility to protect data.

As cybercriminals deploy harder-to-detect methodologies, financial institutions must remain vigilant against attacks designed to infiltrate their networks, data and systems. Early awareness and detection help financial institutions more effectively combat threats by allowing them to react before the threats become widespread. To enhance awareness and reporting, federal bank regulatory agencies approved a final rule to improve the sharing of information about computer-security incidents.

Download the 2022 Banking Priorities Executive Report to gain insight into bankers’ perspectives on top regulatory issues, strategies to combat cyber threats and more.

What is the Final Rule for Computer-Security Incident Reporting?

In November 2021, the Office of the Comptroller of the Currency, the Federal Reserve Board and the Federal Deposit Insurance Corporation finalized a rule requiring banking organizations to notify their primary federal regulator of any qualifying “computer-security incident” as soon as possible but no later than 36 hours after occurrence. The rule also requires bank service providers to notify affected customers as quickly as possible if the provider experiences a computer-security incident that has affected, or is reasonably likely to affect, customers for four or more hours by disrupting services.

This notification is required for any incident that substantially affects, or is reasonably likely to affect, the viability of a banking organization’s operations, its ability to deliver banking products and services or the financial sector’s stability. This rule became effective April 1, 2022, and applicable organizations must be compliant beginning May 1, 2022.

What is a Computer-Security Incident?

The final rule defines a computer-security incident as “an occurrence that results in actual harm to an information system or the information contained within it.” Computer-security incidents can result from malware, malicious software or cyberattacks. Often these originate from social engineering, as well as non-malicious failure of hardware and software or human error.

Malware, malicious software or cyberattacks originating from social engineering can be the cause of computer-security incidents.

This final rule is triggered, and an institution must alert its regulator within 36 hours, when a computer-security incident becomes a notification incident. The rule states that a notification incident is a computer-security incident that has materially disrupted, or is reasonably likely to materially disrupt, a banking organization’s banking operations, business lines or associated services or functions.

Examples of a computer-security incident that could become a notification incident include, but are not limited to:

  • Cyber-related interruptions, such as ransomware attacks or large-scale distributed denial of service attacks
  • Computer hacking incidents that disable banking operations for an extended period
  • Major computer system failures, such as a failed system upgrade that results in outages for customers
  • Other types of significant operational interruptions

Complying with the Computer-Security Incident Rule

Your institution should have an incident response plan (IRP) that includes action steps and a communication strategy to guide you in the event of a cybersecurity incident. With the new 36-hour requirement for notifications, your institution should revisit your IRP and incorporate processes to meet this computer-security incident rule. Here are four questions to consider as you update your IRP:

  • How does your institution review security incidents?
  • What qualifies as an incident? Does this align with the definition of a computer-security incident within the final rule?
  • If an incident occurs, how quickly will you send notifications?
  • What is your process for sending notifications?
Revisit your IRP to ensure your institution has processes in place to comply with the new 36-hour notification requirement.

Enhance Your Institution’s Incident Response Plan

Spend the time upfront to ensure you address this new notification requirement by refining your IRP. As cyber threats evolve and cybercriminals become more aggressive, the question is not whether your institution will experience an attack, but when. Maintaining an effective IRP and testing it regularly will put your institution in a stronger position to weather a cyberattack and its aftermath.

Download your copy of the 2022 Banking Priorities Executive Report for additional insight into meeting regulatory requirements, fending off cybersecurity threats and more.


Steve Sanders serves as CSI’s chief information security officer. In his role, Steve leads CSI’s information security vision, strategy and program, and chairs the company’s Information Security Committee. He also oversees vulnerability monitoring and awareness programs as well as information security training. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber-risk oversight.


Get In Touch

Are you looking for the edge to outperform the competition? CSI is a full-service technology and compliance partner.

Let’s talk