• Henry Park

More notification requirements for US based financial services firms (and their service providers)


In December 2020, federal financial regulators proposed a rule that would require within 36 hours after determining a cyber-security incident occurred: (a) financial service firms to report the incident to regulators, and (b) service providers to report to financial service firms.


The notifying business would have to notify the appropriate party when a computer-security incident occurs that "could materially disrupt, degrade, or impair -- (i) the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or (iii) those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” This rule continues the movement to provide notification to relevant parties.