December 2, 2022

Volume XII, Number 336


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

Federal Banking Regulators Issue New Guidance for Complying with 36 Hour Cybersecurity Incident Reporting Requirement

On March 29, 2022, federal banking regulators issued important guidance for how banking organizations can comply with the upcoming requirement to notify regulators within 36 hours of ransomware or other disruptive cybersecurity incidents. Banking organizations and service providers must be compliant with the new rule by May 1, 2022. 

Summary of the Rule

On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Federal Reserve), and the Office of the Comptroller of the Currency (OCC) (collectively, the “Agencies”) issued a joint final rule to require banking organizations to provide prompt notice to federal regulators following discovery of ransomware or other disruptive cybersecurity incidents. The rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a notification has occurred. The Polsinelli data privacy and security team previously provided detailed information on these new requirements, which can be accessed here

Guidance for Reporting Incidents

On March 29, 2022, the Agencies issued specific guidance for regulated banking organizations to follow when making the required reports following an incident:

FDIC Incident Reporting information (FIL-12-2022):

  • FDIC supervised banks can comply with the rule by reporting an incident to their case manager, who serves as a primary FDIC contact for supervisory-related matters or to any member of an FDIC examination team if the incident occurs during an examination. 

  • If a bank is unable to access these supervisory team contacts, the bank may notify the FDIC by email at [email protected].

Federal Reserve Incident Reporting information (SR 22-4 / CA 22-3):

  • A banking organization whose primary federal regulator is the Board, must notify the Board about a notification incident by email to [email protected] or by telephone to (866) 364-0096.

  • If a banking organization is unsure of whether it is experiencing a notification incident for purpose of notifying the Board, the board encourages the organization to reach out to the Board via email or telephone. 

OCC Incident Reporting information (Bulletin 2022-8):

  • A bank is required to notify the OCC after the bank determines that the notification incident has occurred.

  • To satisfy this requirement, the bank may email may call its supervisory office, submit a notification via the BankNet website, or contact the BankNet Help Desk at [email protected] or by phone at (800) 641-5925. 


© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XII, Number 91

About this Author

Alex Boyd data privacy lawyer Polsinelli

Alexander D. Boyd is an associate in the Technology Transactions and Data Privacy practice. Working with Polsinelli attorneys in the Intellectual Property Department, he advises clients on data privacy compliance, cybersecurity, and best practices for internet-based businesses. Alex uses his experience as a Certified Information Privacy Professional (CIPP/US) and as a litigator to provide his clients practical advice regarding domestic and international privacy and cybersecurity regulations, data privacy audits, Federal Trade Commission compliance, GDPR compliance,...

Noor K. Kalkat Privacy Compliance Attorney Polsinelli

Noor Kalkat is an associate in the Technology Transactions and Data Privacy Practice group. Her practice focuses on assisting clients on privacy and data compliance matters and advising on breach response matters. Prior to joining Polsinelli, Noor was a privacy and compliance analyst at the University of California, San Francisco Medical Center. She provided guidance on international, federal and state privacy laws, including the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA)...