On March 29, 2022, the FDIC, the Federal Reserve and the OCC issued reminders of their upcoming interagency final rule and provided clarification on the contact information banks must use to them when they experience a cyber notification incident. Starting May 1, 2022, banks regulated by the FDIC, Federal Reserve, or OCC (and their bank service providers) must comply with a new file rule that requires notification to regulators of certain computer-security incidents.
Under the final rule, a notification incident generally includes a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector. In other words, incidents will generally include things like a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption. The final rule provides specific requirements for how banks must notify their primary regulator.
The issuances by the three banking regulators both 1) remind banks of the upcoming rule, as well as 2) outline the designated points of contact banks must use to satisfy the incident notification requirements established in the interagency final rule. Specifically, each regulator provided the following information in regards to how banks must contact them:
FDIC (FIL-12-2022): "FDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov."
Federal Reserve (SR22-4/CA 22-3): "A banking organization whose primary federal regulator is the Board must notify the Board about a notification incident by email to incident@frb.gov or telephone to (866) 364-0096.3 The Board must receive this notification from a banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. If a banking organization is in doubt as to whether it is experiencing a notification incident for purposes of notifying the Board, the Board encourages the banking organization to contact the Board by email to incident@frb.gov or telephone to (866) 364-0096. A banking organization should also contact its central point of contact about a notification incident."
OCC (Bulletin 2022-8): "To satisfy the notification requirement, the bank may email or call its supervisory office, submit a notification via the BankNet website, or contact the BankNet Help Desk starting on May 1, 2022..." "...Starting on May 1, 2022, banks may satisfy the notification requirement of the final rule by contacting their supervisory office or by using one of the following to communicate a notification incident: [1] BankNet - Registered BankNet members may securely submit an incident from the home page. The OCC recommends that users register for BankNet well before an incident occurs. [2] BankNet Help Desk - Email: BankNet@occ.treas.gov Phone: (800) 641-5925. [3]If a bank is unsure whether it is experiencing a notification incident for purposes of the final rule, the bank should contact its supervisory office."
The full FIL-12-2022 can be found here.
The full SR22-4/CA 22-3 can be found here.
The full Bulletin 2022-8 can be found here.