OCC Bulletin 2021-55| November 23, 2021

Computer-Security Incident Notification: Final Rule

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

On November 23, 2021, the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published a final rule to establish computer-security incident notification requirements for banking organizations and their bank service providers.

Note for Community Banks

This final rule applies to community banks.1

Highlights

  • The rule requires a bank to notify the OCC as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred. The bank must provide this notification to the appropriate OCC supervisory office, or OCC-designated point of contact, through email, telephone, or other similar methods that the OCC may prescribe.
    • The rule defines computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
    • A notification incident generally would include a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.
  • The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer bank as soon as possible when it determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the bank for four or more hours. If the bank has not previously provided a designated point of contact, the notification must be made to the bank’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.

Background

Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as nonmalicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect a bank’s networks, data, and systems and, ultimately, its ability to resume normal operations.

In addition, banks have become increasingly reliant on bank service providers to provide essential services. Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their bank customers or have other significant impact on a customer bank.

This rule will help ensure that the OCC knows about and can respond in a timely manner to material and adverse computer-security incidents affecting banks.

Further Information

Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Senior Attorney, Chief Counsel’s Office, (202) 649-5490.

 

Benjamin W. McDonough
Senior Deputy Comptroller and Chief Counsel

Related Link

1 “Banks” refers to national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.