May 1st is Around the Corner: Bank Computer-Security Incident Notification Requirements
A few months ago, we published a post about the OCC, FDIC, and Federal Reserve Board’s final rule to improve information sharing about cyber incidents that may affect the U.S. banking system. Under the final rule, banks and their service providers must notify their primary federal regulators within 36 hours after a notification incident has occurred. In the latest update from the regulators, they remind banks that starting May 1, banks must notify their primary federal regulators about computer-security incidents. Below is the contact information and the process for contacting each regulator:
OCC: Banks may satisfy the notification requirement of the final rule by contacting their supervisory office or by using one of the following to communicate a notification incident:
BankNet: Registered BankNet members may securely submit an incident from the home page. Users should register for BankNet well before an incident occurs, so that the notification process is more efficient if and when an incident occurs.
BankNet Help Desk: Email: BankNet@occ.treas.gov; Phone: (800) 641-5925
FDIC: FDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: firstname.lastname@example.org.
Federal Reserve: A banking organization whose primary federal regulator is the Board must notify the Board about a notification incident by email to email@example.com or telephone to (866) 364-0096. The Board must receive this notification from a banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. If a banking organization is in doubt as to whether it is experiencing a notification incident for purposes of notifying the Board, the Board encourages the banking organization to contact the Board by email to firstname.lastname@example.org or telephone to (866) 364-0096
Putting it into Practice: Banks should keep in mind that there are only a few weeks left before the rule goes into effect. The final rule applies equally to banking service providers – thus parties should ensure that security incidents impacting vendors are appropriately addressed in vendor contracts so banks can meet new regulatory expectations (we recently discussed the impact of banking regulations on third party service providers in previous Consumer Finance and FinTech blog posts here and here). Time is of the essence when dealing with computer-security incidents, so familiarizing yourself with the final rule and having the above information at the ready will better prepare your compliance and response functions.