Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Agencies provide points of contact for computer security incident notifications

Bank Regulatory Federal Issues OCC FDIC Federal Reserve Privacy/Cyber Risk & Data Security

On March 29, the FDIC, OCC, and Federal Reserve Board issued guidance related to a final rule issued last November by the agencies along with the Federal Reserve Board, which requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. As previously covered by InfoBytes, the “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” final rule states that notification is required in certain circumstances for incidents that have affected: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s operations for four or more hours. Compliance with the final rule begins May 1.

FDIC FIL-12-2022 states that supervised banks can comply with the final rule by notifying their case manager of an incident, notifying any member of an FDIC examination team if the event occurs during an examination, or by notifying the FDIC by email if it is unable to access its supervisory team contacts.

OCC Bulletin 2022-8 provides points of contact for national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations for satisfying the final rule’s notification requirement. Banks may contact their supervisory office or submit a notification through the BankNet website or contact the BankNet Help Desk.

Fed SR 22-4/CA 22-3 states that regulated banking organizations should contact their designated point of contact about a notification incident, and may submit notice via email or phone. Banking organizations are also encouraged to contact the FRB through the same means if there is doubt as to whether a notification incident was experienced. Bank service providers are encouraged to contact the affected banking organization customer or its own legal advisor should there be doubt as to whether a material disruption or degradation in services has occurred that may impact the banking organization customer.