On March 29, 2022, federal banking regulators issued important guidance for how banking organizations can comply with the upcoming requirement to notify regulators within 36 hours of ransomware or other disruptive cybersecurity incidents. Banking organizations and service providers must be compliant with the new rule by May 1, 2022.
Summary of the Rule
On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Federal Reserve), and the Office of the Comptroller of the Currency (OCC) (collectively, the “Agencies”) issued a joint final rule to require banking organizations to provide prompt notice to federal regulators following discovery of ransomware or other disruptive cybersecurity incidents. The rule requires a banking organization to notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the banking organization determines that a notification has occurred. The Polsinelli data privacy and security team previously provided detailed information on these new requirements, which can be accessed here.
Guidance for Reporting Incidents
On March 29, 2022, the Agencies issued specific guidance for regulated banking organizations to follow when making the required reports following an incident:
FDIC Incident Reporting information (FIL-12-2022):
- FDIC supervised banks can comply with the rule by reporting an incident to their case manager, who serves as a primary FDIC contact for supervisory-related matters or to any member of an FDIC examination team if the incident occurs during an examination.
- If a bank is unable to access these supervisory team contacts, the bank may notify the FDIC by email at email@example.com.
Federal Reserve Incident Reporting information (SR 22-4 / CA 22-3):
- A banking organization whose primary federal regulator is the Board, must notify the Board about a notification incident by email to firstname.lastname@example.org or by telephone to (866) 364-0096.
- If a banking organization is unsure of whether it is experiencing a notification incident for purpose of notifying the Board, the board encourages the organization to reach out to the Board via email or telephone.
OCC Incident Reporting information (Bulletin 2022-8):
- A bank is required to notify the OCC after the bank determines that the notification incident has occurred.
- To satisfy this requirement, the bank may email may call its supervisory office, submit a notification via the BankNet website, or contact the BankNet Help Desk at BankNet@occ.treas.gov or by phone at (800) 641-5925.
For more information, contact Polsinelli’s team of Privacy and Cybersecurity attorneys.