OCC Designates Points of Contact for Computer Security Incident Notifications

With a joint agency final rule requiring banks to notify their primary regulatory within 36 hours of becoming aware of computer security incidents that are considered “notification incidents” taking effect on May 1, the OCC today issued a bulletin reminding banks of their notification responsibilities and specifying points of contact.

For the purposes of the rule, a “notification incident” generally includes “a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector,” the OCC said. “Incidents may include a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.”

Under the rule, a bank must notify the OCC as soon as possible after determining that a notification incident has occurred, and no later than 36 hours after the bank’s determination. To satisfy the notification requirement, the bank may email or call its supervisory office, submit a notification via the BankNet website, BankNet.gov, or contact the BankNet Help Desk.