Three federal agencies responsible for regulating the financial services industry have issued rules requiring banks to disclose significant security breaches to that institution’s “primary regulator” no later than 36 hours following their discovery.

The rule, which will take effect in May of 2022, directs entities regulated by the Federal Deposit Insurance Corporation, the Federal Reserve System, and the Office of the Comptroller of the Currency to report any security incidents triggering a notification obligation to the bank’s customers that their data may have been compromised. Previously, there was no specified time frame for financial institutions to give notice to their regulators of such incidents. Additionally, service providers catering to the financial services industry will now be required to notify each of their banking customers as soon as practicable of any cybersecurity incident which has caused, or is reasonably likely to cause, a service disruption lasting more than four hours.

In a related development, the Securities Industry and Financial Markets Association announced it successfully completed an industry-wide cybersecurity drill designed to demonstrate Wall Street’s preparedness to respond to ransomware attacks. These initiatives underscore recent efforts by government and industry leaders to address the growing threat cyber risks pose to the stability of financial markets.




EMOI Servs. LLC v. Owners Ins. Co., No. 29128 (Ohio Ct. App. Nov. 5, 2021)

In a decision that appears to swim against the tide of other rulings, an Ohio appeals court recently held a business that suffered a loss of access to its computer network following a ransomware attack had made a valid claim that could trigger coverage under its property policy.  

While policyholder advocates have lauded this decision, some legal scholars have expressed concern that by expanding the scope of loss under property policies, insurers could end up covering cyber matters under policies not originally designed for that purpose, a phenomenon known as “silent cyber.” Over the past two years, cases involving claims for “loss of use” of property as a result of COVID-19 restrictions have largely been decided in the favor of insurers, since insureds were not able to show tangible damage to their property. However, in a split decision, the appellate panel here held that a temporary loss of access to a computer system due to a cyberattack could constitute property damage.


The Takeaway 

The precedent setting value of this case remains unclear. The property policy in question covered physical loss or damage to “media,” which the insured argued included both its computer server and software, rather than just the server, as the insurer maintained. Property underwriters do not ordinarily review an applicant’s network security, or price for that risk. Because of this, insurers may respond to this holding by inserting absolute cyber exclusions into their property policies.