On March 29, 2022, the US federal banking regulators released instructions on how financial institutions should comply with recently adopted computer-security incident notification requirements.1 These instructions will assist financial institutions in satisfying their obligations under the new requirements once compliance is required on May 1, 2022.
Notification Requirements
Cyber Incident Reporting for Critical Infrastructure Act Signed Into US Law as Part of Omnibus Appropriations Legislation
On March 15, 2022, President Biden signed into law the Consolidated Appropriations Act, 2022, H.R. 2471. Division Y of this omnibus appropriations legislation—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—will create significant new rules requiring US critical infrastructure entities to report cybersecurity incidents and ransom payments to the US government. This legislation marks…
SEC Proposes Amendments That Would Place New Cybersecurity Reporting and Disclosure Requirements on Public Companies
On March 9, 2022, the US Securities and Exchange Commission (SEC) voted 3-1 to propose new rules and amendments under the Securities Exchange Act of 1934 that would constitute the SEC’s first attempt to adopt specific rules to comprehensively regulate cybersecurity risk management, strategy, governance and incident reporting for public companies (“registrants”). The stated goals…
Breach Notification Requirement Finalized by US Banking Regulators
On November 18, 2021, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) finalized new cyber incident notification requirements for institutions that they regulate and their service providers (the…
Booking.com fined by Dutch data protection authority for delays in reporting data breach
Following an international investigation in cooperation with other European privacy regulators, on 31 March 2021 the Dutch data protection authority (“Autoriteit Persoonsgegevens – AP”) released its decision (available here in Dutch) to impose a fine of €475,000 on Booking.com (incorporated in Amsterdam) arising from their delays in reporting a data breach incident (the
New Incident Notification Requirements Proposed by Federal Regulators for US Financial Institutions and Their Service Providers
In December 2020, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”), and Federal Deposit Insurance Corporation (“FDIC,” collectively with the Federal Reserve and OCC, the “Federal Regulators”) proposed new cyber incident notification requirements for institutions that they regulate and their service providers (the “Proposal”).…
US National Futures Association Adopts Notification Requirement for Certain Cybersecurity Incidents
On January 7, 2019, the US self-regulatory organization the National Futures Association (“NFA”) announced that it had adopted amendments to its information security requirements that include a cybersecurity incident notification obligation.1 As discussed below, the NFA’s amendments represent the continued maturation of information security in the US financial services sector and are incremental, rather…
Data Breach Notification Requirements Coming from EU Expand Obligations for Organizations Worldwide
The General Data Protection Regulation (“GDPR” or “Regulation”), adopted on April 27, 2016, introduces a new regime for the protection of personal data in the European Union (“EU”). The Regulation will replace the current data protection directive, Directive 95/46/EC (“Directive”). The GDPR will apply in all EU member states from May 25, 2018.