Thirty-Six Hour Breach Notification Rule Puts Banking Organizations on Notice

In response to the growing threat to financial stability posed by cybersecurity incidents, the Office of the Comptroller of the Currency (OCC), the U.S. Department of the Treasury, the Federal Reserve Board, and the Federal Deposit Insurance Corporation (FDIC) (collectively, the “agencies”) published a rule titled “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” (the “Rule”) on November 23, 2021 that has significant implications for banking organizations’ incident response policies and procedures.

The Rule will go into effect on April 1, 2022, and covered entities must comply by May 1, 2022. While multifaceted, the Rule stands out for one major aspect of notification that heretofore few U.S. breach notifications did: speed, requiring notice in many cases to be made in 36 hours after discovery of covered computer security incidents. The rule marks a major shift in how banking organizations must respond to data breaches and other disruptions of banking services caused by computer security incidents.

Who Must Comply With The Rule?

Both “banking organizations” and “bank service providers” must comply with the rule (with limited exceptions).

Banking organizations include national banks, federal savings associations, and federal branch agencies of a foreign bank. The Rule specifies what types of entities are designated as banking organizations by their primary regulator:

  • The OCC: national banks, federal savings associations, and federal branches and agencies of foreign banks.
  • The Federal Reserve: U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations.
  • The FDIC: insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations.

Bank Service Providers are bank service companies that are subject to the Bank Service Company Act, or people who perform those services. Covered services include, for example:

  • Check and deposit sorting and posting;
  • Computation and posting of interest and other credits and charges;
  • Preparation and mailing of checks, statements, notices, and similar items; and
  • Other clerical, bookkeeping, accounting, statistical, or similar functions performed for a bank.

What Incidents Are Covered?

Computer security incidents that rise to the level of a “notification incident” are covered by the Rule. Computer security incidents are defined broadly as “an occurrence that results in actual harm to an information system or the information contained within it.” This is designed to be more narrowly focused than the commonly-used NIST definition – which does not require actual harm – because the Rule focuses on “incidents most likely to materially and adversely affect banking organizations,” limiting coverage to occurrences that result “in actual harm to an information system or the information contained within it.” Examples of computer security incidents include:

  • Ransomware attacks that encrypt a core banking system or backup data
  • Distributed denial of service (DDoS) attacks disrupting customer account access
  • Vendor outages
  • Unrecoverable system failures
  • Hacking incidents that disable banking operations

Even if a computer security incident occurs, however, it does not rise to the level of a “notification incident” unless the banking organization determines the incident is reasonably likely to materially disrupt or degrade:

  • The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  • Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
  • Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Unlike many traditional breach notification laws, the Rule does not depend on the extent to which personal information was or may have been accessed.

What do Covered Entities Need to do?

Banking organizations must notify their primary federal regulator of any computer security incident within 36 hours after determining that it has risen to the level of a notification incident. This deadline is considerably tighter than those under most existing data breach and computer incident notification laws and regulations, even compared to the 72 hour reporting window of the GDPR and the New York DFS Cybersecurity Regulation.

Bank service providers must notify their banking organization clients as soon as possible when the bank service provider determines it has experienced a computer security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. Notification can be accomplished by informing at least one bank-designated point of contact at each affected banking organization. The obligation of a service provider to notify its banking organization customers about a service interruption is supposed to enable banking organizations to better assess whether the interruption is likely to have the type of impact that would trigger their own notification requirement.


Banking organizations and banking service providers should take the time between now and the start of enforcement in spring 2022 to review and update compliance protocols to account for the new standards, taking into account the very fast turnaround that regulators set forth for notification. Policies should include naming designated points of contact and establishing an efficient and clear identification and escalation process for potential notification incidents. If these steps are taken now, compliance should be manageable, allowing a compromised bank or service provider to focus its efforts on fixing the incident at hand.