Late last year, federal financial institution regulators finalized new security incident notification requirements for the financial institutions they regulate and their service providers (“New Rules”). The New Rules take effect soon, with an effective date of April 1 of this year and mandated compliance starting on May 1.

What is new? The New Rules expand and clarify existing notification obligations of financial institutions which, prior to implementation of the New Rules, were primarily focused on consumer protection and suspicious activity reporting. The New Rules also obligate financial institution service providers to notify their financial institution customers in the event of certain defined security incidents, reflecting a trend by federal regulators to attempt to directly regulate financial institution third-party service providers and non-bank financial institutions generally, particularly in the cybersecurity arena.

What is required and when? In respect of covered financial institutions, the New Rules require notification to the institution’s primary federal regulator of any “computer-security incident that rises to the level of a notification incident.” The notification is required as soon as possible, but in no event later than 36 hours after a determination that such an incident has occurred. Importantly, not all incidents are notification incidents. Rather, only those incidents that “have materially affected, or are reasonably likely to materially affect…the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector” qualify. In any event, it is notable that the New Rules’ 36-hour notification deadline is shorter than data breach notification deadlines mandated by other regulators, including the Florida Department of Legal Affairs and the New York Department of Financial Institutions. 

In respect of covered financial institution service providers, the New Rules require notification to each affected financial institution customer as soon as possible following the service provider’s determination that it experienced a computer-security incident that “has caused or is reasonably likely to cause a material service disruption or degradation for four or more hours.” Under the New Rules, service providers can comply with this obligation by notifying a contact designated by the financial institution or, in the absence of a designation, by notifying the financial institution’s chief executive officer and chief information officer (or two individuals of comparable responsibilities).

Takeaway: With implementation of the New Rules fast approaching, financial institutions and their service providers should take steps to ensure that they have the proper policies, back-end procedures and contractual commitments in place necessary to comply. Please reach out to us with any questions or requests for further information in respect of the New Rules.


This publication is for general information only. It is not legal advice, and legal counsel should be contacted before any action is taken that might be influenced by this publication.

About Gunster

Gunster, Florida’s law firm for business, provides full-service legal counsel to leading organizations and individuals from its 11 offices statewide. Established in 1925, the firm has expanded, diversified and evolved, but always with a singular focus: Florida and its clients’ stake in it. A magnet for business-savvy attorneys who embrace collaboration for the greatest advantage of clients, Gunster’s growth has not been at the expense of personalized service but because of it. The firm serves clients from its offices in Boca Raton, Fort Lauderdale, Jacksonville, Miami, Orlando, Palm Beach, Stuart, Tallahassee, Tampa, Vero Beach, and its headquarters in West Palm Beach. With over 200 attorneys and 200 committed support staff, Gunster is ranked among the National Law Journal’s list of the 500 largest law firms and has been recognized as one of the Top 100 Diverse Law Firms by Law360. More information about its practice areas, offices and insider’s view newsletters is available at


Find a Professional

by Name

by Practice/Office