OCC Bulletin 2022-8| March 29, 2022

Information Technology: OCC Points of Contact for Banks’ Computer-Security Incident Notifications

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

Effective May 1, 2022, banks1 must use the designated points of contact listed in this bulletin to satisfy the incident notification requirements established in the interagency final rule for banks and their bank service providers dated November 23, 2021. The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published the final rule to help promote early awareness of emerging threats to banks, their bank service providers, and the broader financial system and to help the agencies react to these threats before they become systemic.2

Banks and their bank service providers must comply with the final rule starting May 1, 2022. Under the final rule, a notification incident generally includes a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector. Incidents may include a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.  

Note for Community Banks

This bulletin applies to community banks.

Highlights

  • A bank must notify the OCC after the bank determines that a notification incident has occurred, and the OCC must receive this notice as soon as possible and no later than 36 hours after the bank’s determination.
  • To satisfy the notification requirement, the bank may email or call its supervisory office, submit a notification via the BankNet website, or contact the BankNet Help Desk starting on May 1, 2022. Refer to the “OCC Points of Contact for Banks” section of this bulletin.

OCC Points of Contact for Banks

Starting on May 1, 2022, banks may satisfy the notification requirement of the final rule by contacting their supervisory office or by using one of the following to communicate a notification incident:

If a bank is unsure whether it is experiencing a notification incident for purposes of the final rule, the bank should contact its supervisory office.3

Further Information

Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Counsel, Chief Counsel’s Office, (202) 649-5490.

 

Grovetta Gardineer
Senior Deputy Comptroller for Bank Supervision Policy

Related Links

1 "Banks" refers collectively to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations.

2 Refer to 86 Fed. Reg. 66424 (November 23, 2021).

3 The final rule also defines the notifications requirements for bank service providers that experience certain incidents. If a bank service provider is unsure whether it has experienced a computer-security incident that meets this threshold, the OCC encourages the bank service provider to contact the affected banking organization customer(s) or the service provider’s own legal counsel.