Pub. 13 2022 I Issue 1 Spring 29 West Virginia Banker Banks bear ultimate responsibility for responding to incidents that impact their customers and safe and sound banking operations. The three primary banking regulators have issued a new rule effective April 1, 2022, “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”(“Notice Requirement”).1 Complying with the new rule should be relatively easy, but a deeper consideration of the associated obligations should prompt a bank to review its computer-security incident response plan, policies, procedures, and cyber-risk insurance coverage. Notice Requirement The Notice Requirement is intended to promote a bank providing timely notice to its primary regulator when the bank experiences a computersecurity incident that materially and adversely affects the bank or bank holding company supervised by the Federal Reserve, OCC, or FDIC. The rule generally applies to banks and entities subject to the Bank Service Company Act (“Banking Service Provider”). Bank Service Provider Obligation A Bank Service Provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the Bank Service Provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four Implementing Computer-Security Incident Notice Requirement a Good Reason to Revisit Your Response Plan By Mark Mangano, Jackson Kelly PLLC Continued on page 30
RkJQdWJsaXNoZXIy MTIyNDg2OA==