On November 17, 2021, the Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC) released a final rule that requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
Now the FDIC (FIL-12-2022), the OCC (Bulletin 2022-8), and the Board (SR22-4/CA 22-3) have issued guidance on who to contact when reporting an incident starting May 1, 2022.
- OCC – OCC-supervised banks may make the required notification by emailing their supervisory office, or by using BankNet to submit an incident from the BankNet home page. Banks must be registered users of BankNet to use the portal. and should do so well before an incident occurs. If a bank is unsure whether it is experiencing a notification incident under the rule, the bank should contact its supervisory office.
- FDIC – FDIC-supervised banks can comply with the rule by notifying their case manager of an incident. They may also comply with the rule by notifying any member of an FDIC examination team if the event occurs during an examination. If the bank cannot access its supervisory team contacts, it can notify the FDIC by email at incident@fdic.gov.
- FRB – Federal Reserve Board member banks must notify the Board about a notification incident by email to incident@frb.govor telephone to (866) 364-0096.
More information about the final rule was contained in our November blog article.