_edited.jpg)
Benjamin W. McDonough, Senior Deputy Comptroller and Chief Counsel
Nov 23, 2021
Computer-Security Incident Notification: Final Rule
The rule requires a bank to notify the OCC as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred. The bank must provide this notification to the appropriate OCC supervisory office, or OCC-designated point of contact, through email, telephone, or other similar methods that the OCC may prescribe.
https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-55.html
Highlights
The rule requires a bank to notify the OCC as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred. The bank must provide this notification to the appropriate OCC supervisory office, or OCC-designated point of contact, through email, telephone, or other similar methods that the OCC may prescribe.
The rule defines computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
A notification incident generally would include a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.
The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer bank as soon as possible when it determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the bank for four or more hours. If the bank has not previously provided a designated point of contact, the notification must be made to the bank’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.
Background
Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as nonmalicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect a bank’s networks, data, and systems and, ultimately, its ability to resume normal operations.
In addition, banks have become increasingly reliant on bank service providers to provide essential services. Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their bank customers or have other significant impact on a customer bank.
This rule will help ensure that the OCC knows about and can respond in a timely manner to material and adverse computer-security incidents affecting banks.
Further Information
Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Senior Attorney, Chief Counsel’s Office, (202) 649-5490.
Benjamin W. McDonough
Senior Deputy Comptroller and Chief Counsel