Federal Banking Regulators Issue New Guidance for Complying with 36 Hour Cybersecurity Incident Reporting Requirement

On March 29, 2022, federal banking regulators issued necessary steerage for how banking organizations can comply with the upcoming requirement to inform regulators inside 36 hours of ransomware or different disruptive cybersecurity incidents. Banking organizations and repair suppliers should be compliant with the brand new rule by Might 1, 2022. 

Abstract of the Rule

On November 23, 2021, the Federal Deposit Insurance coverage Company (FDIC), the Board of Governors of the Federal Reserve System (Federal Reserve), and the Workplace of the Comptroller of the Forex (OCC) (collectively, the “Agencies”) issued a joint ultimate rule to require banking organizations to offer immediate discover to federal regulators following discovery of ransomware or different disruptive cybersecurity incidents. The rule requires a banking group to inform its main federal regulator of any “computer-security incident” that rises to the extent of a “notification incident” as quickly as attainable and no later than 36 hours after the banking group determines {that a} notification has occurred. The Polsinelli knowledge privateness and safety workforce beforehand offered detailed info on these new necessities, which may be accessed here

Guidance for Reporting Incidents

On March 29, 2022, the Businesses issued particular steerage for regulated banking organizations to observe when making the required stories following an incident:

FDIC Incident Reporting info (FIL-12-2022):


  • FDIC supervised banks can comply with the rule by reporting an incident to their case supervisor, who serves as a main FDIC contact for supervisory-related issues or to any member of an FDIC examination workforce if the incident happens throughout an examination. 

  • If a financial institution is unable to entry these supervisory workforce contacts, the financial institution could notify the FDIC by e-mail at [email protected]

  • Federal Reserve Incident Reporting info (SR 22-4 / CA 22-3):


  • A banking group whose main federal regulator is the Board, should notify the Board a couple of notification incident by e-mail to [email protected] or by phone to (866) 364-0096.

  • If a banking group is not sure of whether or not it’s experiencing a notification incident for objective of notifying the Board, the board encourages the group to succeed in out to the Board by way of e-mail or phone. 

  • OCC Incident Reporting info (Bulletin 2022-8):


  • A financial institution is required to inform the OCC after the financial institution determines that the notification incident has occurred.

  • To fulfill this requirement, the financial institution could e-mail could name its supervisory workplace, submit a notification by way of the BankNet web site, or contact the BankNet Assist Desk at [email protected] or by cellphone at (800) 641-5925. 


    Source link