Most banks and their service providers are familiar with the final rule governing notice for "notification incidents" and "cyber security incidents." With compliance due by May 1, 2022, the rule establishes standards and deadlines for service providers to notify banks of such incidents and for banks to notify their primary federal regulator "as soon as possible and no later than 36 hours" after the bank "determines" that a notification incident has occurred. (For more, see this summary.) However, a recently enacted law requiring new rulemaking by the Cybersecurity and Infrastructure Security Agency (or CISA for short) within the Department of Homeland Security could upend a key compromise made during the finalization of the banking rules. Continue reading >