IT Examiner School eBook May 2025

Internal Use Only

Computer Security Incident Notification Rule

The FDIC, FRB, OCC issued a joint final rule in 2021 to establish computer-security incident notification requirements for banking organizations (BO) and bank service providers Required notification to regulators as soon as possible and no later than 36 hours after the BO determines that a computer-security incident that rises to the level of a notification incident has occurred

Compliance with the final rule was required by May 1, 2022

The FTC Amended its Safe Guards Rules in October 2023 to require notification to FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.

Sources: www.fdic.gov/news/financial-institution-letters/2021/fil21074.html www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches

Internal Use Only

SEC Public Company Cybersecurity Disclosures

In July 2023, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and ( on an annual basis ) material information regarding their cybersecurity risk management, strategy, and governance.

An Item 1.05 Form 8-K will generally be due four (4) business days after a registrant determines a cybersecurity incident is material.

Companies must describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant

The Rule also requires companies to describe (1) processes for identifying, assessing, and managing material cybersecurity risks, as well as Board oversight and management’s role and expertise in assessing and managing material risks from cybersecurity threats , in the annual report on Form 10-K

The final rule became effective 30 days after public notice and the Form 10-K was due beginning with annual reports for fiscal years ending on or after December 15, 2023.

Source: SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies 33-11216-fact-sheet.pdf