OCC Bulletin 2021-55

Benjamin W. McDonough, Senior Deputy Comptroller and Chief Counsel

Nov 23, 2021

Computer-Security Incident Notification: Final Rule

The rule requires a bank to notify the OCC as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred. The bank must provide this notification to the appropriate OCC supervisory office, or OCC-designated point of contact, through email, telephone, or other similar methods that the OCC may prescribe.

https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-55.html


86fr66424
.pdf
Download PDF • 454KB

Highlights

The rule requires a bank to notify the OCC as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred. The bank must provide this notification to the appropriate OCC supervisory office, or OCC-designated point of contact, through email, telephone, or other similar methods that the OCC may prescribe.


The rule defines computer-security incident as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.


A notification incident generally would include a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. This may include a major computer-system failure; cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.


The rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected customer bank as soon as possible when it determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the bank for four or more hours. If the bank has not previously provided a designated point of contact, the notification must be made to the bank’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.


Background

Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as nonmalicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. These cyberattacks can adversely affect a bank’s networks, data, and systems and, ultimately, its ability to resume normal operations.


In addition, banks have become increasingly reliant on bank service providers to provide essential services. Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their bank customers or have other significant impact on a customer bank.


This rule will help ensure that the OCC knows about and can respond in a timely manner to material and adverse computer-security incidents affecting banks.


Further Information

Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Senior Attorney, Chief Counsel’s Office, (202) 649-5490.



Benjamin W. McDonough

Senior Deputy Comptroller and Chief Counsel