The Office of the Comptroller of the Currency, Treasury (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) recently announced a “Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” This new rule would require a banking organization to provide prompt notification to its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.  According to the information released jointly by the agencies, they anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. Notification would be required only after that determination was made.

The proposed rule defines both a “computer-security incident” and a “notification incident.” Notification incidents trigger the notice to federal regulators. Some examples of notification incidents include large scale outages denial of service attacks that disrupt service for more than four hours, widespread system outages caused by service providers of its core banking platform, hacking and malware that causes widespread outages, system failures that result in the activation of a disaster recovery plan, and a ransomware attack that encrypts a core banking system or backup data.

In their notice, the agencies state that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.

The proposed rule would apply to the following banking organizations: national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

The agencies are seeking public comment on all aspects of the proposal including 16 specific questions related to the proposal. Comments must be received within 90 days of publication of the proposed rules in the Federal Register.

Morgan Stanley has settled claims by the Office of the Comptroller of the Currency (OCC) that it failed to properly decommission data centers that housed client data of its wealth-management operations two times—once in 2016 and once in 2019 for $60 million.

According to the OCC, Morgan Stanley “failed to effectively assess or address risks associated with decommissioning its hardware” by subcontracting the work out and failing to identify customer data that was stored on obsolete devices.

Morgan Stanley notified affected customers in July and is offering credit monitoring at no charge to its customers if they sign up by October 31.