On March 29, 2022, the US federal banking regulators released instructions on how financial institutions should comply with recently adopted computer-security incident notification requirements.1 These instructions will assist financial institutions in satisfying their obligations under the new requirements once compliance is required on May 1, 2022.
On November 18, 2021, the Board of Governors of the Federal Reserve System (“Federal Reserve”), Office of the Comptroller of the Currency (“OCC”) and Federal Deposit Insurance Corporation (“FDIC”) finalized new cyber incident notification requirements for the financial institutions that they regulate and service providers to those institutions. In relevant part, a financial institution is now required to notify its appropriate federal regulator of a “notification incident” as soon as possible and no later than 36 hours after the institution determines that a reportable event occurred. (Please see our earlier Legal Update for a more detailed discussion of the new requirements for financial institutions and their service providers.)
The instructions explain how a financial institution will be expected to notify its federal regulator of a notification incident. The procedure is different for each regulator:
- Federal Reserve: A US banking holding company, US savings and loan holding company, state member bank, US operations of a foreign banking organization, Edge corporation or agreement corporation must notify the Board about a notification incident by (i) email to email@example.com or (ii) telephone to (866) 364-0096.2
- OCC: A national bank, federal savings association, or federal branch or agency of a foreign bank must notify the OCC about a notification incident by (i) contacting their OCC supervisory office, (ii) submitting an incident through BankNet, (iii) emailing BankNet@occ.treas.gov or (iv) calling (800) 641-5925.
- FDIC: An insured state nonmember bank, insured state savings association or insured state-licensed branch of a foreign bank must notify the FDIC about a notification incident by (i) contacting their FDIC case manager, (ii) contacting any member of an FDIC examination team if the institution is undergoing an examination or (iii) emailing firstname.lastname@example.org.
The Federal Reserve and OCC instructions note that an institution should contact its primary supervisory contact if the institution is unsure whether it is experiencing a reportable incident. Additionally, the OCC instructions state that a service provider should contact the affected financial institution customers or the service provider’s own legal counsel if the service provider is unsure whether a computer-security incident has occurred that would require reporting to the institution.3
The instructions provided by the federal regulators are relatively clear and should be easy for most financial institutions to incorporate in their incident response plans and regulatory affairs procedures. However, the instructions do not shed further light on the required content of an incident notification. Notwithstanding regulator statements that there is “no specific content or format” for notifications and the notifications are intended only to “alert the agencies to such incidents,” we expect many financial institutions will grapple with difficult decisions about what information to include in a notification. This is particularly true in the early stages of an incident, where the information known to an institution may rapidly change.
1 Federal Reserve, SR 22-4 (Mar. 29, 2022), https://www.federalreserve.gov/supervisionreg/srletters/SR2204.htm; OCC, Bull. 2022-8 (Mar. 29, 2022), https://occ.gov/news-issuances/bulletins/2022/bulletin-2022-8.html; FDIC, FIL-12-2022 (Mar. 29, 2022), https://www.fdic.gov/news/financial-institution-letters/2022/fil22012.html.
2 While not addressed in the instructions, the Federal Reserve’s guidance regarding the content of notifications of unauthorized access to customer information presumably remains in effect until and unless rescinded. See Federal Reserve, SR 05-23 (Dec. 1, 2005).
3 Service providers do not have an obligation to report incidents directly to the federal banking regulators unless they also are financial institutions (e.g., a national bank that provides services to other national banks).