June 28, 2022

Volume XII, Number 179

Advertisement
Advertisement

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis

May 1st is Around the Corner: Bank Computer-Security Incident Notification Requirements

A few months ago, we published a post about the OCC, FDIC, and Federal Reserve Board’s final rule to improve information sharing about cyber incidents that may affect the U.S. banking system. Under the final rule, banks and their service providers must notify their primary federal regulators within 36 hours after a notification incident has occurred. In the latest update from the regulators, they remind banks that starting May 1, banks must notify their primary federal regulators about computer-security incidents. Below is the contact information and the process for contacting each regulator:

OCCBanks may satisfy the notification requirement of the final rule by contacting their supervisory office or by using one of the following to communicate a notification incident:

  • BankNet: Registered BankNet members may securely submit an incident from the home page. Users should register for BankNet well before an incident occurs, so that the notification process is more efficient if and when an incident occurs.

  • BankNet Help Desk: Email: BankNet@occ.treas.gov; Phone: (800) 641-5925

FDICFDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov.

Federal Reserve: A banking organization whose primary federal regulator is the Board must notify the Board about a notification incident by email to incident@frb.gov or telephone to (866) 364-0096. The Board must receive this notification from a banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. If a banking organization is in doubt as to whether it is experiencing a notification incident for purposes of notifying the Board, the Board encourages the banking organization to contact the Board by email to incident@frb.gov or telephone to (866) 364-0096

Putting it into Practice: Banks should keep in mind that there are only a few weeks left before the rule goes into effect. The final rule applies equally to banking service providers – thus parties should ensure that security incidents impacting vendors are appropriately addressed in vendor contracts so banks can meet new regulatory expectations (we recently discussed the impact of banking regulations on third party service providers in previous Consumer Finance and FinTech blog posts here and here). Time is of the essence when dealing with computer-security incidents, so familiarizing yourself with the final rule and having the above information at the ready will better prepare your compliance and response functions.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 92
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Moorari Shah Bankruptcy Lawyer Sheppard Mullin Law Firm
Partner

Moorari Shah is a partner in the Finance and Bankruptcy Practice Group in the firm's Los Angeles and San Francisco offices. 

Areas of Practice

Moorari combines deep in-house and law firm experience to deliver practical, business-minded legal advice. He represents banks, fintechs, mortgage companies, auto lenders, and other nonbank institutions in transactional, licensing, regulatory compliance, and government enforcement matters covering mergers and acquisitions, consumer and commercial lending, equipment finance and leasing, and supervisory examinations,...

213-617-4171
A.J. S. Dhaliwal Bankruptcy Attorney Sheppard Mullin Washington DC
Associate

A.J. is an associate in the Finance and Bankruptcy Practice Group in the firm's Washington, D.C. office. 

A.J. has over a decade of experience helping banks, non-bank financial institutions, and other companies providing financial products and services in a wide range of matters including government enforcement actions, civil litigation, regulatory examinations, and internal investigations.

With a diversified regulatory, compliance, and enforcement background, A.J. counsels financial institutions in matters involving...

202-747-2323
Snehal Desai, attorney, Sheppard Mullin
Attorney

Snehal Desai is an associate in the Intellectual Property Practice Group in the firm's San Francisco office. She is a member of the Privacy and Cybersecurity Team, the Advertising Team and the Technology Transactions Team.

Areas of Practice

Advertising: Snehal advises clients in conducting advertising campaigns, contests and sweepstakes, and brand marketing campaigns. 

Technology and Commercial Transactions: Snehal drafts and negotiates...

415-774-2960
Advertisement
Advertisement
Advertisement