Pub. 13 2022 Issue 1

wvbankers.org 30 West Virginia Banker or more hours. The reporting requirement does not apply to any scheduled maintenance, testing, or software update previously communicated to the bank. A computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. Bank Obligations The bank is obligated to evaluate the impact of computersecurity incidents occurring within its own systems or the systems of a Bank Service Provider and determine whether the incident constitutes a “Notification Incident.” A Notification Incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade a banking organization’s: 1. Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; 2. Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or 3. Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would threaten the financial stability of the United States. The bank is obligated to notify its primary regulator as soon as possible but no later than 36 hours after it determines that the computer-security incident constitutes a notification incident. The preferred method of contact will be provided to the bank by its regulator. Updating Your Computer-Security Incidence Response Plan Based on 2019 and 2020 data, the agencies have estimated that at least 3% of banks will need to report a computersecurity incident each year but acknowledge the number could grow. Given the potential disruption and expense related to computer-security incidents, this is a significant risk for a community bank. The 36-hour notice requirement highlights the bank’s responsibilities to move quickly after discovering a computersecurity incident and assess the incident’s likely impact even if the incident flows from a third-party vendor. Banks should not generally assume that third-party vendors such as core processors will take the lead on computer-security incidents. Banks bear ultimate responsibility for responding to incidents that impact their customers and safe and sound banking operations. Incidents require rapid coordination of internal and external resources to address some or all the following actions: • Detect a computer-security incident; • Analyze and document the incident; The bank is obligated to evaluate the impact of computer-security incidents occurring within its own systems or the systems of a Bank Service Provider and determine whether the incident constitutes a “Notification Incident.” Continued from page 29

RkJQdWJsaXNoZXIy MTIyNDg2OA==