Federal Banking Regulators Issue New Guidance for Cyber Incidents

Alexander Boyd

Email

816.572.4470

Bio and Articles

Noor K. Kalkat

Email

310-203-5361

Bio and Articles

Federal Banking Regulators Issue New Guidance for Complying with 36 Hour Cybersecurity Incident Reporting Requirement

by: Alexander Boyd, Noor K. Kalkat of Polsinelli PC - Intelligence

Friday, April 1, 2022

Print Mail Download

i

On March 29, 2022, federal banking regulators issued important guidance for how banking organizations can comply with the upcoming requirement to notify regulators within 36 hours of ransomware or other disruptive cybersecurity incidents. Banking organizations and service providers must be compliant with the new rule by May 1, 2022.

Summary of the Rule

On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Federal Reserve), and the Office of the Comptroller of the Currency (OCC) (collectively, the “Agencies”) issued a joint final rule to require banking organizations to provide prompt notice to federal regulators following discovery of ransomware or other disruptive cybersecurity incidents. The rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a notification has occurred. The Polsinelli data privacy and security team previously provided detailed information on these new requirements, which can be accessed here.

Guidance for Reporting Incidents

On March 29, 2022, the Agencies issued specific guidance for regulated banking organizations to follow when making the required reports following an incident:

FDIC Incident Reporting information (FIL-12-2022):

FDIC supervised banks can comply with the rule by reporting an incident to their case manager, who serves as a primary FDIC contact for supervisory-related matters or to any member of an FDIC examination team if the incident occurs during an examination.
If a bank is unable to access these supervisory team contacts, the bank may notify the FDIC by email at incident@fdic.gov.

Federal Reserve Incident Reporting information (SR 22-4 / CA 22-3):

A banking organization whose primary federal regulator is the Board, must notify the Board about a notification incident by email to incident@frb.gov or by telephone to (866) 364-0096.
If a banking organization is unsure of whether it is experiencing a notification incident for purpose of notifying the Board, the board encourages the organization to reach out to the Board via email or telephone.

OCC Incident Reporting information (Bulletin 2022-8):

A bank is required to notify the OCC after the bank determines that the notification incident has occurred.
To satisfy this requirement, the bank may email may call its supervisory office, submit a notification via the BankNet website, or contact the BankNet Help Desk at BankNet@occ.treas.gov or by phone at (800) 641-5925.