January/February 2022

orderForm.title

orderForm.productCode

orderForm.description

orderForm.quantity

orderForm.itemPrice

orderForm.price

orderForm.totalPrice

orderForm.deliveryDetails.name

orderForm.deliveryDetails.accountNumber

orderForm.deliveryDetails.phone

orderForm.deliveryDetails.poNumber

orderForm.deliveryDetails.email

orderForm.deliveryDetails.companyName

orderForm.deliveryDetails.billingAddress

orderForm.deliveryDetails.deliveryAddress

orderForm.deliveryDetails.deliveryDetailsDeliveryAddressSameAsBillingAddress

orderForm.deliveryDetails.address1

orderForm.deliveryDetails.address2

orderForm.deliveryDetails.city

orderForm.deliveryDetails.state

orderForm.deliveryDetails.postCode

orderForm.deliveryDetails.country

orderForm.deliveryDetails.additionalInformation

orderForm.noItems

Guest Commentary

By Leonard J. Essig and Melissa G. Powers Lewis Rice

New Rule Requires

Banks Notify Regulators of Security Incidents 

Federal bank regulatory agencies recently announced the  about cyber incidents that may affect the U.S. banking system. Te Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation jointly issued the final rule Nov. 18, 2021, and compliance is required by May 1, 2022.

Under the final rule, a banking organization’s primary federal regulator must receive notification as soon as possible and no later than 36 hours aſter the banking organization determines that a significant computer-security incident, known as a “notification incident,” has occurred. Further, the final rule separately requires a bank service provider to notify each of its affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

DEFINITION OF NOTIFICATION INCIDENTS Te final rule defines a “notification incident” as a computer- security incident that has materially disrupted or degraded, or

22 mobankers.com

is reasonably likely to materially disrupt or degrade, a banking organization’s: 1. ability to carry out banking operations, activities or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business

2. business line(s), including associated operations, services, functions and support, that upon failure would result in a material loss of revenue, profit or franchise value

3. operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the U.S.

Under the final rule, a “computer-security incident” is an occurrence that results in actual harm to the confidentiality, integrity or availability of an information system or the information that the system processes, stores or transmits. Te final rule contains a nonexhaustive list of computer-security incidents, such as unrecoverable system failures; widespread system outages; cyber-related interruptions, such as distributed denial of service, hacking and ransomware attacks; and other types of significant operational interruptions, including those that result in customers being unable to access their deposit and other accounts for an extended period of time.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Page 13 | Page 14 | Page 15 | Page 16 | Page 17 | Page 18 | Page 19 | Page 20 | Page 21 | Page 22 | Page 23 | Page 24 | Page 25 | Page 26 | Page 27 | Page 28 | Page 29 | Page 30 | Page 31 | Page 32